From a727ce205a9e187cf179d30796762854cac9c231 Mon Sep 17 00:00:00 2001
From: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Date: Wed, 28 Feb 2024 11:15:56 -0600
Subject: [PATCH] approle: do not require secret_id (#522)

* approle: support bind_secret_id

* add changelog
---
 CHANGELOG.md | 4 ++++
 src/auth.js  | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d28554d..4f9befe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+Features:
+
+* `secretId` is no longer required for approle to support advanced use cases like machine login when `bind_secret_id` is false. [GH-522](https://github.com/hashicorp/vault-action/pull/522)
+
 ## 3.0.0 (February 15, 2024)
 
 Improvements:
diff --git a/src/auth.js b/src/auth.js
index 331083a..630ad1e 100644
--- a/src/auth.js
+++ b/src/auth.js
@@ -17,7 +17,7 @@ async function retrieveToken(method, client) {
     switch (method) {
         case 'approle': {
             const vaultRoleId = core.getInput('roleId', { required: true });
-            const vaultSecretId = core.getInput('secretId', { required: true });
+            const vaultSecretId = core.getInput('secretId', { required: false });
             return await getClientToken(client, method, path, { role_id: vaultRoleId, secret_id: vaultSecretId });
         }
         case 'github': {