vault ssh may print misleading warning message

[pschulten]

Describe the bug
#16683 changed the way vault generates warnings on potential errors regarding flags. This has a side effect when using vault ssh which now generates a (unhelpful) warning

To Reproduce
Steps to reproduce the behavior:

$ vault ssh -mode=ca -role=role -strict-host-key-checking=false -valid-principals=prince 10.227.12.248 -- pwd -P
Command flags must be provided before positional arguments. The following arguments will not be parsed as flags: [--,-P]
/home/prince

Expected behavior
No warning printed

Environment:

• Vault Server Version (retrieve with vault status): 1.11.4
• Vault CLI Version (retrieve with vault version): v1.13.0
• Server Operating System/Architecture: macos (bash)

Additional context
Maybe stop parsing flags after the double dash. Workaround:

$ vault ssh -mode=ca -role=role -strict-host-key-checking=false -valid-principals=prince 10.227.12.248 -- pwd -P 2>/dev/null
/home/prince

[hghaf099]

Thanks for filing this ticket, and welcome to HashiCorp Vault community. The warning messages are not misleading as it informs the user which input arguments are not considered flags. Such a warning is not printed if you pass in the --format=json. The errors regarding flag errors are still printed if the flags are in the correct position:

$> vault ssh -mode=ca -role=role -strict-host-key-checking=false -notDefined=2 -valid-principals=prince 10.227.12.248
Command flags must be provided before positional arguments. The following arguments will not be parsed as flags: [-valid-principals=prince]
flag provided but not defined: -notDefined

I am going to close this issue for now. Please feel free to open a new ticket or if you have further concerns please let us know and we reopen the issue for further discussions.

[maxb]

Hi @hghaf099 ,

I think this issue should be reopened, as it is reporting a genuine defect:

The vault ssh command has the unusual purpose of being a wrapper that invokes the real ssh command (after obtaining credentials). Moreover, the ssh command can take another command on its command line, to run on the remote machine. Because of this, there are multiple ways in which it can be a normal use-case for there to be option-like arguments later in the command line, which are deliberately intended either for ssh, or for a command being run via ssh on the remote machine.

This is quite unlike most other commands, where option-like things occurring after positional arguments are often a mistake.

It doesn't make sense to try to provide users with a helpful wrapper for Vault SSH operations, but then have it nag them with spurious warnings when they use it in the intended fashion.

[hghaf099]

This issue should have been fixed. I am closing this, please feel free to reopen this issue or open a new one for further discussions.