Skip to content

Commit a043cf2

Browse files
tomcztomcz
committed
assist in debugging vault access errors
1 parent 46e55bc commit a043cf2

1 file changed

Lines changed: 23 additions & 9 deletions

File tree

internal/config/vault.go

Lines changed: 23 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,9 @@ package config
22

33
import (
44
"context"
5+
"errors"
56
"fmt"
7+
"net/http"
68

79
"github.com/go-viper/mapstructure/v2"
810
"github.com/hashicorp/vault-client-go"
@@ -12,14 +14,18 @@ import (
1214
func LookupWithAppRole(ctx context.Context, vaultAddr, caCertFile, roleID, secretID, path string) (*Config, error) {
1315
client, err := newClient(vaultAddr, caCertFile)
1416
if err != nil {
15-
return nil, err
17+
return nil, fmt.Errorf("approle.Client: %w", err)
1618
}
1719
resp, err := client.Auth.AppRoleLogin(ctx, schema.AppRoleLoginRequest{RoleId: roleID, SecretId: secretID})
1820
if err != nil {
19-
return nil, err
21+
var verr *vault.ResponseError
22+
if errors.As(err, &verr) && verr.OriginalRequest != nil {
23+
return nil, expandError(verr.OriginalRequest, err)
24+
}
25+
return nil, fmt.Errorf("approle.Login: %w", err)
2026
}
2127
if err = client.SetToken(resp.Auth.ClientToken); err != nil {
22-
return nil, err
28+
return nil, fmt.Errorf("approle.SetToken: %w", err)
2329
}
2430
defer logout(ctx, client, resp.Auth.Renewable)
2531
return lookup(ctx, client, path)
@@ -28,10 +34,10 @@ func LookupWithAppRole(ctx context.Context, vaultAddr, caCertFile, roleID, secre
2834
func LookupWithToken(ctx context.Context, vaultAddr, caCertFile, token, path string) (*Config, error) {
2935
client, err := newClient(vaultAddr, caCertFile)
3036
if err != nil {
31-
return nil, err
37+
return nil, fmt.Errorf("token.Client: %w", err)
3238
}
3339
if err = client.SetToken(token); err != nil {
34-
return nil, err
40+
return nil, fmt.Errorf("token.SetToken: %w", err)
3541
}
3642
return lookup(ctx, client, path)
3743
}
@@ -54,20 +60,28 @@ func newClient(vaultAddr, caCertFile string) (*vault.Client, error) {
5460
func lookup(ctx context.Context, client *vault.Client, path string) (*Config, error) {
5561
secret, err := client.Read(ctx, path)
5662
if err != nil {
57-
return nil, err
63+
var verr *vault.ResponseError
64+
if errors.As(err, &verr) && verr.OriginalRequest != nil {
65+
return nil, expandError(verr.OriginalRequest, err)
66+
}
67+
return nil, fmt.Errorf("vault.Read: %w", err)
5868
}
59-
if secret == nil {
69+
if secret == nil || secret.Data == nil {
6070
return nil, fmt.Errorf("secret not found at path %q", path)
6171
}
6272
var cfg Config
6373
if err = mapstructure.Decode(secret.Data, &cfg); err != nil {
64-
return nil, err
74+
return nil, fmt.Errorf("secret.Decode: %w", err)
6575
}
6676
return &cfg, nil
6777
}
6878

79+
func expandError(req *http.Request, err error) error {
80+
return fmt.Errorf("%s %s: %w", req.Method, req.URL.String(), err)
81+
}
82+
6983
func logout(ctx context.Context, client *vault.Client, shouldLogout bool) {
7084
if shouldLogout {
71-
client.Auth.TokenRevokeSelf(ctx) //nolint:all
85+
_, _ = client.Auth.TokenRevokeSelf(ctx)
7286
}
7387
}

0 commit comments

Comments
 (0)