Contrib.social

Request documentation to use this module

Open on Drupal.org β†’
Created on 11 July 2025, 2 days ago

Hi,

Thanks in advance for your time and guidance.

Problem/Motivation

I want to use this module to store secrets in vault and eventually integrate it to use as a field reference where vault will be the storage instead of default database.

Steps to reproduce

I created a simple module to test leveraging vault client. Here is the form submission code:

Sample code

/**
 * A simple form to test writing secrets via the Vault contrib module.
 */
class VaultWriteTestForm extends FormBase {

  /** @var \Vault\Client */
  protected Client $vaultClient;

  /**
   * Inject the vault client from the contrib module.
   */
  public function __construct(Client $vault_client) {
    $this->vaultClient = $vault_client;
  }

  /**
   * {@inheritdoc}
   */
  public static function create(ContainerInterface $container) {
    return new static(
      // 'vault.vault_client' is provided by the Vault module.
      $container->get('vault.vault_client')
    );
  }

  /**
   * {@inheritdoc}
   */
  public function getFormId(): string {
    return 'example_vault_write_test_form';
  }

  /**
   * {@inheritdoc}
   */
  public function buildForm(array $form, FormStateInterface $form_state): array {
    $form['secret_path'] = [
      '#type' => 'textfield',
      '#title' => $this->t('Secret path'),
      '#description' => $this->t('The Vault path under your mount (e.g. user/foo).'),
      '#required' => TRUE,
    ];
    $form['secret_key'] = [
      '#type' => 'textfield',
      '#title' => $this->t('Data key'),
      '#description' => $this->t('The key name to store under this path (e.g. api_key).'),
      '#required' => TRUE,
    ];
    $form['secret_value'] = [
      '#type' => 'textarea',
      '#title' => $this->t('Data value'),
      '#description' => $this->t('The value to write.'),
      '#required' => TRUE,
    ];
    $form['actions']['#type'] = 'actions';
    $form['actions']['submit'] = [
      '#type' => 'submit',
      '#value' => $this->t('Write secret'),
      '#button_type' => 'primary',
    ];

    return $form;
  }

  /**
   * {@inheritdoc}
   */
  public function submitForm(array &$form, FormStateInterface $form_state): void {
    $path = $form_state->getValue('secret_path');
    $key  = $form_state->getValue('secret_key');
    $value = $form_state->getValue('secret_value');

    try {
      // The Vault\Client write() method takes ($path, array $data).
      $this->vaultClient->write($path, [$key => $value]);
      $this->messenger()->addStatus($this->t('Secret written to %path.', ['%path' => $path]));
    }
    catch (\Exception $e) {
      $this->messenger()->addError($this->t(
        'Vault write failed: @msg',
        ['@msg' => $e->getMessage()]
      ));
    }
  }

}

When I try this, I always get:

Vault write failed: Bad status received from Vault

The token correct which I verified through basic curl call.

Thanks again!

πŸ’¬ Support request
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States nvl.sateesh

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @nvl.sateesh
  • Comment 2 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    At the moment the Drupal Module is currently primarily bringing in the 3rd party library in a manner that interface with Drupal's common API's. Many of these methods are still 'low level' and require knowledge of how to format Vault API messages. The VAULT HTTP API documentation is a useful reference. https://developer.hashicorp.com/vault/api-docs

    The vault_key_kv module may provide some assistance of sample code to help (note: this is written for KV2 storage)
    https://git.drupalcode.org/project/vault_key_kv/-/blob/2.x/src/Plugin/Ke...

    $this->vaultClient->write($path, [$key => $value]);
    I assume for this simplistic example that $path is a KV storage engine, the question is if it is a KV1 or KV2, the format of the submitted data depends upon this (KV1 it is a direct key/value pair while in the case of KV2 key should under a 'data' key )

    KV1 submit format
    KV2 submit format

    Addtionaly care must be taken regarding / placement in $path to ensure path is correctly formatted with the base path already provided.

    We appear to be missing documentation on this, a developer can set the vault.logger.level container parameter to debug to enable additional logging that may provide additional details. I will create a followup issue for that documentation to be added.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024