vault-agent file sink mode is parsed incorrectly

[petracvv]

Describe the bug
When running vault-agent auto-auth and using the file sink method, the mode option does not work as expected. Permissions are octal (base-8) but the mode field in the configuration for the file sink is parsed as an integer (base-10). This leads to a lot of confusion and unexpected behavior with permissions for the sink file that is created.

I suggest the mode field be parsed as a JSON string instead of a JSON integer and validation about it being a valid octal permission be done afterwards.

To Reproduce

1. Install vault agent with an auto-auth configuration as follows:

{
   "pid_file": "./pidfile",
   "exit_after_auth": false,
   "vault": {
     "address": "https://<vault-address-here>:8200"
   },
   "auto_auth": {
     "method": {
       "type": "approle",
       "config": {
         "role_id_file_path": "/tmp/.roleid",
         "secret_id_file_path": "/tmp/.secretid",
       }
   },
 "sink": [
   {
     "type": "file",
     "config": {
       "path": "/tmp/.vault-token",
       "mode": 640
     }
   }
 ]
}

Provide an approle role_id and secret_id at the appropriate locations

2. Start the vault-agent service.
3. Look at the permissions for the /tmp/.vault-token file and see that they are incorrect

[root@75856f20-e289-4 ~]# stat -c "%a" /tmp/.vault-token 
200

640 base-10 is 1200 in octal which when applied to a file results in 200 unix permissions.

If I enter the base-10 equivalent of the 640 octal number which is 416 into the configuration, I get the expected unix file permissions.

Expected behavior
I expected the permissions of the file-sink file to be the octal mode I entered in the configuration.

Environment:

• Vault Server Version: 1.3.2 (the one the agent is connecting to)
• Vault Agent Version: 1.4.2
• Server Operating System/Architecture: RHEL7

[ncabatoff]

Hi @petracvv ,

For JSON you must use a leading 0 to indicate an octal integer. I think you could instead make it a string and we'll parse it as octal too.

[petracvv]

@ncabatoff Sorry but it looks like I forgot to mention that I tried both of those options with no success before making this bug report.

If I try with a leading zero (just showing the sink content below):

"sink": [
   {
     "type": "file",
     "config": {
       "path": "/tmp/.vault-token",
       "mode": 0640
     }
   }

I get the following error:

[root@75856f20-e289-4 vault]# /usr/local/bin/vault agent -config=/etc/vault/agent.json 
Error loading configuration from /etc/vault/agent.json: 21:22: numbers cannot start with 0

Trying it as a string:

"sink": [
   {
     "type": "file",
     "config": {
       "path": "/tmp/.vault-token",
       "mode": "640"
     }
   }

I get the following error:

[root@75856f20-e289-4 vault]# /usr/local/bin/vault agent -config=/etc/vault/agent.json 
Error creating file sink: could not parse 'mode' as integer

I think I did look this up and the JSON with leading zero as octal isn't actually a standard. (Relevant stack overflow https://stackoverflow.com/a/27361596)

Could we reopen this please?

[ncabatoff]

Sorry, I read that stackoverflow link too quickly. And I was looking at the wrong code too when I said this should be supported using leading 0 or string - that's for the agent templates, which leverages some consul-template code to do the right thing.

[jeffbyrnes]

I can confirm this issue; it also appears to only happen when using JSON configs; HCL works fine with octal numbers.

We’re running Vault Enterprise 1.3.2+prem, for reference.

[petracvv]

Hey this is still an issue with at least Vault 1.7.x. Any chance this can be looked at again?

[heatherezell]

Hi @petracvv! Thank you for circling back. I'll mark this issue as needing follow-up. I appreciate your diligence! :)

[aphorise]

hey @petracvv I'm curious if you've seen the recent related notes on #7380? - I'm thinking a documentation update may be helpeful to others around sinks vs sink.

[aphorise]

I'm curious if you've seen the recent related notes on #7380?

I believe that this issues is resolved following the related documentation changes made to clarify sink vs sinks as per:

• Docs: Vault Agent Auto-Auth - Auto Auth Examples

@jeffbyrnes or @petracvv do you agree that this issue is now resolved and is okay to close?

[jeffbyrnes]

@aphorise oh nice! Thanks for the heads-up. I’m out on parental leave for now, and when I return to work on March 6, I’ll check this out.