[BUG] v2.1.2 breaks secrets in JSON format

[dlavrenuek]

Describe the bug
vault-action v2.1.2 breaks the secrets that are stored as json, for example json web token keys, because the values are now parsed as json instead of a string REF.

To Reproduce
Example secret that is stored as json:

{ "kty": "RSA", "n": ...

Was in v2.1.1 passed to the application in the correct JSON format as

{ "kty": "RSA", "n": ...

In v2.1.2 it is passed to the application as JavaScript object representation, which is not valid JSON:

{ kty: RSA, n: ...

This results in a fatal error in the application due to invalid formatting.

Expected behavior
The secrets in JSON format should not be modified and passed to the application in valid JSON format.

[jasonodonnell]

His @dlavrenuek, this is unfortunate due to the change made on parsing secrets from Vault. We're taking a look at this.

[dlavrenuek]

Hi @jasonodonnell, do you know what the use case for this PR was #173 and how this was tested? From what I can see in the code is that even tho the secret is parsed with JSON.parse it is returned as a string in the end anyway, and I can't find any interaction with the parsed secret in between.

[dlavrenuek]

@jasonodonnell this issue is open for quite some time now, is it planned to fix it?

[MattPumphrey]

Any updates on this, I am unable to use this functionality, and would very much like to.

[fairclothjm]

Hi @dlavrenuek or @MattPumphrey I have been unable to capture this in the e2e tests. See my PR here: #466

If you can help me recreate this issue then I can try to get it fixed. Manual repro steps would be fine too if you can't provide pointers on my tests. Thanks!

[markoojleski-factoryww]

@fairclothjm I think the case (as mentioned above) is if you use 'unquoted' json secret stored in vault such as:
{ "kty": "RSA", "n": "xxx" }

In your tests you are wrapping the json in single quotes, which is not the exact case here
expect(process.env.SECRET_JSON).toBe('{"x":1,"y":2}')

Try to store the unquoted json in Vault/env and run the test
{ "kty": "RSA", "n": "xxx" }

btw, yes I can also confirm that when storing the unquoted json, you will get env variable with double quotes being removed from the secret.

[fairclothjm]

Released Vault GitHub Action v2.7.0 which should fix this regression!

[fairclothjm]

Reopening as we had to revert #466 in #471

[fairclothjm]

Released Vault GitHub Action v2.7.2 which should (finally) fix this regression!

[fairclothjm]

As noted above, this has to do with how the secret is stored in Vault. The solution for this as of Vault Action v2.7.3 is to access the secret via the environment variable that is set by Vault Action.

For example, with the following setup

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Import Secrets
              id: import-secrets
              uses: hashicorp/vault-action@v2
              with:
                url: https://vault.mycompany.com:8200
                token: ${{ secrets.VAULT_TOKEN }}
                secrets: |
                    secret/data/json-data jwt_data | MY_JWT ;
            # ...

We can access the environment variables like

#...
            - name: Step following 'Import Secrets'
              run: |
                echo "$JWT_DATA"
                echo "$MY_JWT"
            # ...

The JSON will be properly formatted.