Thomasht86/set access rule before deployment#1228
Merged
thomasht86 merged 6 commits intomasterfrom Feb 12, 2026
Merged
Conversation
When services.xml references secrets from vaults, automatically ensure the application has SANDBOX access before deploying to dev, saving users from manual console configuration. Changes: - Add vault access rule logic to VespaCloud (CSRF-aware, with verification) - Add `secrets` tag to services.py configuration DSL - Replace debug print() with logging.info() for vault diagnostics - Narrow exception handling to specific types for better error surfacing - Clean up unit tests: remove low-value tests, simplify assertions - Add skipped integration test for manual cloud verification Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add auth method check in _ensure_vault_access_rule: raise ValueError with actionable message when API key auth is used and rule is missing, since API keys lack the administrator role needed for vault modifications - Remove ValueError from except clause in _ensure_vault_access_for_dev so the auth error propagates up and stops the deployment - Refactor _get_csrf_token to try/except instead of auth method check - Replace debug print() calls with logging.info() Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- test_ensure_vault_access_rule_api_key_raises: verify ValueError is raised with instructional message when auth is api_key and rule is missing, and no PUT is attempted - test_ensure_vault_access_for_dev_api_key_raises: verify ValueError propagates up (not caught as warning) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
API key auth cannot set vault access rules (lacks administrator role). This test requires interactive (Auth0) login. Skip by default with instructions to comment out @unittest.skip to run manually. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
bjorncs
approved these changes
Feb 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When services.xml references secrets from vaults, automatically ensure the application has SANDBOX access before deploying to dev, saving users from manual console configuration.
Changes:
secretstag to services.py configuration DSLI confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.
To test:
uv sync --extra devTestDeployAddsVaultAccessCloudintest_integration_vespa_cloud.pyuv run python -m pytest tests/integration/test_integration_vespa_cloud.py::TestDeployAddsVaultAccessCloud -v -s