Vault 1.2.0 approle not working with HVAC (hashi_vault ansible) any more

[pouyana]

Describe the bug
From version 1.2.0 it is impossible to retrieve the vault secret using approle and hashi_vault (hvac) in ansible. Using the following gives the following errors on both side:

{{ lookup('hashi_vault', 'secret=app-role-secrets/data/certificate auth_method=approle')}}

On Ansible Side:

fatal: [host]: FAILED! => 
{"msg": 
"An unhandled exception occurred while running the lookup plugin 'hashi_vault'. 
Error was a <class 'hvac.exceptions.InternalServerError'>, 
original message: json: cannot unmarshal string into 
Go struct field roleStorageEntry.token_type of type logical.TokenType"
}

On Vault Side:

{
  "time": "2019-08-01T08:00:09.261568917Z",
  "type": "response",
  "auth": {
    "token_type": "default"
  },
  "request": {
    "id": "2509237f-6271-f5ae-cbc8-771a17c1e901",
    "operation": "update",
    "namespace": {
      "id": "root"
    },
    "path": "auth/approle/login",
    "data": {
      "role_id": "yyyy",
      "secret_id": "yyyyy"
    },
    "remote_address": "127.0.0.1"
  },
  "response": {},
  "error": "json: cannot unmarshal string into Go struct field roleStorageEntry.token_type of type logical.TokenType"
}

To Reproduce
I use HVAC and hashi_vault to retrieve the vault secrets for my ansible playbooks.

{{ lookup('hashi_vault', 'secret=app-role-secrets/data/certificate auth_method=approle')}}

Expected behavior
Should return the secret as array

Environment:

• vault 1.2.0
• vault 1.2.0
• Linux Ubuntu 18.04

Vault server configuration file(s):

ui = true
listener "tcp" {
    address = "vault.domain:8200",
    tls_cert_file = "/etc/ssl/certs/vault.crt"
    tls_key_file  = "/etc/ssl/private/vault.key"
}
storage "mysql" {
  username = "xxxxxx"
  password = "xxxxxx"
  database = "xxxxxx"
}

Additional context
This bug is not observed in v. 1.1.5 version and versions before that, so it is added probably with 1.2.0

[ncabatoff]

Hi @pouyana,

Thanks for reporting this. I've reproduced this without using Ansible, and it does appear to be a 1.2 regression. Investigating a fix.

[kkirsche]

I also see this on the CLI:

[user@hostname ~]# vault read auth/approle/role/mynamedrole/role-id
Error reading auth/approle/role/mynamedrole/role-id: Error making API request.

URL: GET https://subdomain.domain.com:8200/v1/auth/approle/role/mynamedrole/role-id
Code: 500. Errors:

* 1 error occurred:
        * json: cannot unmarshal string into Go struct field roleStorageEntry.token_type of type logical.TokenType

[ncabatoff]

Yes, same error, that's how I reproduced it. We hope to have a 1.2.1 release out soon with a fix.