diff --git a/builtin/logical/pki/backend.go b/builtin/logical/pki/backend.go index 3878b8995..dfd1b138b 100644 --- a/builtin/logical/pki/backend.go +++ b/builtin/logical/pki/backend.go @@ -267,7 +267,7 @@ func (b *backend) metricsWrap(callType string, roleMode int, ofunc roleOperation if err != nil { return nil, err } - if role == nil && roleMode == roleRequired { + if role == nil && (roleMode == roleRequired || len(roleName) > 0) { return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil } labels = []metrics.Label{{"role", roleName}} diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index 8b669c69a..17cdc93d8 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -79,7 +79,7 @@ func buildPathSign(b *backend, pattern string) *framework.Path { } func pathIssuerSignVerbatim(b *backend) *framework.Path { - pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim" + pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim" + framework.OptionalParamRegex("role") return buildPathIssuerSignVerbatim(b, pattern) } diff --git a/changelog/15543.txt b/changelog/15543.txt new file mode 100644 index 000000000..43c2c7419 --- /dev/null +++ b/changelog/15543.txt @@ -0,0 +1,3 @@ +```release-note:change +secrets/pki: Err on unknown role during sign-verbatim. +```