feat(approle): add an optional profile config mount_point (#27)

cognifloyd · web-flow · commit d9176cbfcf3e · 2025-02-27T16:06:40.000-06:00
as-is: cannot change the default approle mount point `approle`
to-be: change the mount point of approle profile if it is given
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,9 @@
 # Change Log
 
+## 2.1.0
+
+- Support mount_point parameter for profiles config.
+
 ## 2.0.0
 
 - Add action to generate secrets.
@@ -48,4 +52,4 @@ The next version will be 1.0.0 and "2" will be dropped from python_versions.
 
 ## 0.1.0
 
-- First release 
+- First release
diff --git a/actions/lib/action.py b/actions/lib/action.py
@@ -7,6 +7,7 @@ class VaultBaseAction(Action):
     Base Action includes st2 profile and vault client functions
     for child classes.
     """
+
     def __init__(self, config):
         super().__init__(config)
         self.config = config
@@ -19,7 +20,9 @@ def run(self, profile_name=None):
         if profile_name is None:
             profile_name = self.config.get("default_profile")
             if profile_name is None:
-                raise ValueError("No default profile found, check the pack configuration.")
+                raise ValueError(
+                    "No default profile found, check the pack configuration."
+                )
 
         for profile in self.config.get("profiles", []):
             if profile_name == profile["name"]:
@@ -78,7 +81,18 @@ def _auth_approle(self, profile):
         """
         Authenticate using a vault app role to acquire the vault token.
         """
-        self.vault.auth.approle.login(
-            role_id=profile["role_id"],
-            secret_id=profile["secret_id"],
-        )
+        # Check if mount_point is provided in the profile
+        mount_point = profile.get("mount_point")
+
+        # Prepare login arguments
+        login_kwargs = {
+            "role_id": profile["role_id"],
+            "secret_id": profile["secret_id"],
+        }
+
+        # Add mount_point to kwargs if it exists in the profile
+        if mount_point:
+            login_kwargs["mount_point"] = mount_point
+
+        # Replace the direct login call with kwargs-based call
+        self.vault.auth.approle.login(**login_kwargs)
diff --git a/config.schema.yaml b/config.schema.yaml
@@ -62,3 +62,8 @@ profiles:
         type: "string"
         secret: true
         required: false
+      mount_point:
+        description: "Authentication mount point (method=approle)"
+        type: "string"
+        secret: false
+        required: false
diff --git a/pack.yaml b/pack.yaml
@@ -2,7 +2,7 @@
 ref: vault
 name: vault
 description: StackStorm pack integration with HashiCorp Vault
-version: 2.0.0
+version: 2.1.0
 python_versions:
   - "3"
 author: steve.neuharth
diff --git a/vault.yaml.example b/vault.yaml.example
@@ -9,6 +9,7 @@ profiles:
     auth_method: approle
     role_id: '00000000-0000-0000-0000-000000000000'
     secret_id: '00000000-0000-0000-0000-000000000000'
+    mount_point: 'my-approle'
   - name: development
     url: 'https://127.0.0.1:8200'
     verify: false
