vaultenv 0.13.3 and Hashi Corp hosted vault

[raiknet]

I worked successfully with vaultenv in my dev environment. Now I switched to Hashi Corp enterprise hosted vault and I get "Invalid Vault token". I verified the token multiple times and it works when I use the vault native command " vault kv ..." . I try to switch to a non TLS connection than I get a "[ERROR] Received bad JSON from Vault: Error in $: Failed reading: not a valid json value" . Here is my debug:
Host: vault-cluster.vault.2cxxxxxxxx2bb.aws.hashicorp.cloud
Port: 8200
Addr: https://vault-cluster.vault.xxxxx43-9601-cf54xxx32bb.aws.hashicorp.cloud:8200
Token: *****
Secret file: ./vaultenv-aws
Command: env
Arguments: []
Use TLS: True
Validate certs: True
Inherit env: True
Inherit env blacklist: []
Base delay: 40
Retry attempts: 9
Log-level: Info
Use PATH: True
Concurrent requests: 8

Do I miss something ? Should version 0.13.3 work with no issues with the Hashi corp hosted vault ?

[maartenberg]

Hi @raiknet,

We haven't used Vaultenv with Hashicorp's hosted Vault service yet and it seems that this is not possible with the current version of Vaultenv.

I think that this error is due to Vaultenv not being namespace-aware: Vault on HCP seems to depend on Vault's namespacing feature. Vaultenv currently does not pass the X-Vault-Namespace header in the requests it sends, which seems to be required on Vault on HCP.

I think that it shouldn't be too hard to make Vaultenv namespace-aware: if I'm not mistaken the required steps would be to

1. add a field for the Vault namespace to the Options type,
2. add a CLI option to specify the namespace (or take it from the VAULT_NAMESPACE environment variable,
3. pass the namespace to the Vault server here and here like we also pass x-vault-request.

We currently aren't using Vault on HCP, so adding namespace support is not currently a priority for us. We would probably accept a PR that adds namespace support though :)