Generating secretId with Pulumi Vault package gets "unrecognized resource type" error

Question

We want to use Vault with cert-manager through Pulumi. According to the cert-manager Vault docs for authentication through AppRole, we need a secretId. So, we’re trying to generate it by following the Pulumi Vault docs. But we're getting this error:

Diagnostics:
  vault:appRole:AuthBackendRoleSecretId (new-auth-backend-role-secret-id):
    error: unrecognized resource type (Check): vault:appRole/authBackendRoleSecretId:AuthBackendRoleSecretId

Our code with the offending line at the bottom using approle.NewAuthBackendRoleSecretId:

import (
    mount "github.com/pulumi/pulumi-vault/sdk/v5/go/vault"

    // One person pointed out that the docs say this path should be "appRole" but it really isn't
    // The repo is at https://github.com/pulumi/pulumi-vault/tree/master/sdk/go/vault/approle
    approle "github.com/pulumi/pulumi-vault/sdk/v5/go/vault/approle"

    "github.com/pulumi/pulumi-vault/sdk/v5/go/vault/pkisecret"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

        ...

        vaultprovider, _ := mount.NewProvider(pulumiContext, "vaultprovider", &v.Vaultprovider)

        caRole, _ := pkisecret.NewSecretBackendRole(pulumiContext, "ca-role", &pkisecret.SecretBackendRoleArgs{
            Backend: pulumi.String(enginePath),
            Name:    pulumi.String(caRoleName),
            AllowedDomains: pulumi.StringArray{
                pulumi.String("example.com"),
            },
            AllowSubdomains: pulumi.Bool(true),
            MaxTtl:          pulumi.String("2592000"),
        }, pulumi.Provider(vaultprovider))

        appRole, _ := mount.NewAuthBackend(pulumiContext, "approle", &mount.AuthBackendArgs{
            Type: pulumi.String("approle"),
        }, pulumi.Provider(vaultprovider))

        backendRole, _ := approle.NewAuthBackendRole(pulumiContext, "pkiapprole", &approle.AuthBackendRoleArgs{
            Backend:  appRole.Path,
            RoleName: pulumi.String("test-role"),
            TokenPolicies: pulumi.StringArray{
                pulumi.String("default"),
                pulumi.String("dev"),
                pulumi.String("prod"),
            },
        }, pulumi.Provider(vaultprovider), pulumi.DependsOn([]pulumi.Resource{
            appRole,
        }))

        policy, _ := mount.NewPolicy(pulumiContext, "my-policy", &mount.PolicyArgs{
            Name: pulumi.String("cert-issuer-policy"),
            Policy: pulumi.String(`path "intermediate-ca/sign/cert-issuer-role" {
          capabilities = ["read", "list", "create", "update"]
        }`),
        }, pulumi.Provider(vaultprovider), pulumi.DependsOn([]pulumi.Resource{
            caRole, appRole,
        }))

        secretId, _ := approle.NewAuthBackendRoleSecretId(pulumiContext, "new-auth-backend-role-secret-id", &approle.AuthBackendRoleSecretIdArgs{
            Backend:  appRole.Path,
            RoleName: backendRole.RoleName,
        }, pulumi.Provider(vaultprovider), pulumi.DependsOn([]pulumi.Resource{
            caRole, appRole, backendRole, policy,
        }))

What does the error mean? Seems like some people experience this by passing in the wrong provider but in our case we pass in the same Vault provider throughout.

What are we missing?

Answer 1

In the end we thought this could be a bug in the package (we didn't have enough time to investigate fully) and decided to circumvent it by executing a command in the pod directly.

Can be done in different ways but here's our solution:

func ExecuteCommandInPod(...) (*bytes.Buffer, error) {
    // This function uses the client-go package to execute a `kubectl exec -it...` command in a pod.
    // Kind of long so just summarizing here.
}

func (v Vault) CreateVaultSecretId() (string, error) {

    command := []string{
        "sh",
        "-c",
        fmt.Sprintf("output=$(VAULT_TOKEN=%s vault write -f auth/approle/role/test-role/secret-id | awk 'NR == 3'); echo $output", v.Vaultprovider.Token),
    }

    buffer, err := ExecuteCommandInPod(
        v.KubeconfigPath,
        command,
        "vault-0",
        "vault",
    )
    if err != nil {
        return "", err
    }

    result := buffer.String()
    if result == "" {
        return "", fmt.Errorf("no secret ID generated: %s", result)
    }

    secretId := // A bit more parsing of `result`

    return secretId, nil
}

Our colleague mentions it's better to use the Vault SDK so we'll probably refactor in future.