Vault CLI: -mount doesn't prepend the specified mount point to a secret name

[vpedosyuk]

Describe the bug
According to the vault kv put usage docs, when a mount point is specified in -mount the next argument will be interpreted as a secret path. However, it doesn't work for me when the kv mount path is /teams/test/secret instead of default /secret.

My expectation was that the following commands would work out of the box but they didn't:

$ vault secrets enable -path=/teams/test/secret -version=2 kv
Success! Enabled the kv secrets engine at: /teams/test/secret/

$ vault kv put -mount=teams/test/secret my-secret passcode=my-long-passcode
Error writing data to secret/data/my-secret: Error making API request.

URL: PUT https://<redacted>/v1/secret/data/my-secret
Code: 404. Errors:

* no handler for route "secret/data/my-secret". route entry not found.

After some time playing with mount points, ACLs, and whatnot I tried the following command:

$ vault kv put -mount=teams/test/secret teams/test/secret/my-secret passcode=my-long-passcode
================ Secret Path ================
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-08-09T09:38:29.697165567Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

And I realized that Vault CLI seems to be generating incorrect URL https://<redacted>/v1/secret/data/my-secret instead of https://<redacted>/v1/teams/test/secret/data/my-secret but works fine if the secret path is absolute.

Environment:

• Vault Server Version (retrieve with vault status):

Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.11.1
Build Date               2022-07-19T20:16:47Z
Storage Type             raft
Cluster Name             vault-cluster-1bda9549
Cluster ID               6e3df734-d997-0c5e-882f-053548968097
HA Enabled               true
HA Cluster               https://vault-0:8201
HA Mode                  standby
Active Node Address      https://<redacted>
Raft Committed Index     1272
Raft Applied Index       1272

• Vault CLI Version (retrieve with vault version):

Vault v1.11.2 ('3a8aa12eba357ed2de3192b15c99c717afdeb2b5+CHANGES'), built 2022-07-29T09:48:47Z

• Server Operating System/Architecture: Kubernetes (GKE)

[aphorise]

It seems that -mount='first/second/last' only takes a single last portion of the path - vs using any single word like kv / kv2 which works fine.

Hey @vpedosyuk - any reason why you dont want to do away with -mount altogether and opt instead to provide the complete path like:

vault kv put teams/test/secret/my-secret passcode=my-long-passcode

[jdgoins]

I just experienced this bug myself which had me scratching my head for a while. People may be gravitating toward -mount because it's a recommended practice in the kv-v2 documentation.

[vpedosyuk]

@aphorise yes, the complete path works well thanks. But I agree with @jdgoins and I'd keep considering this a bug because -mount seems to be a more natural way to describe a custom mount point.

[aphorise]

I believe this issue is likely linked to:

• Unable to get a kv secret the same name as the secret engine using vault kv cli command #17576
• with a PR fix in progress on: Fix kv -mount flag error when mount and secret path are the same #17679

[ccapurso]

@aphorise, thank you for linking the related issue and PR. The proposed logic does in fact fix this issue:

❯ vault secrets enable -path=/teams/test/secret -version=2 kv
Success! Enabled the kv secrets engine at: /teams/test/secret/

❯ vault kv put -mount=teams/test/secret my-secret passcode=my-long-passcode
========== Secret Path ==========
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-11-01T13:51:49.936712Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

❯ vault kv get -mount=teams/test/secret my-secret
========== Secret Path ==========
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-11-01T13:51:49.936712Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

====== Data ======
Key         Value
---         -----
passcode    my-long-passcode

[ccapurso]

This has been fixed and backported to the 1.11 and 1.12 release branches. The fix will be available in versions 1.11.6 and 1.12.2.