bugfix/ISSUE-5934-fix-rbac-kv-value-render

CHANGELOG.rst

@@ -6,6 +6,8 @@ in development
 
 Added
 ~~~~~
+* Fix KV value lookup in actions when RBAC is enabled #5934
+
 * Move `git clone` to `user_home/.st2packs` #5845
 
 * Error on `st2ctl status` when running in Kubernetes. #5851

st2common/st2common/services/keyvalues.py

@@ -191,17 +191,17 @@ def _get_kv(self, key):
         if kvp:
             LOG.debug("Got value %s from datastore.", kvp.value)
 
-        # Check that user has permission to the key value pair.
-        # If RBAC is enabled, this check will verify if user has system role with all access.
-        # If RBAC is enabled, this check guards against a user accessing another user's kvp.
-        # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp.
-        # The check is sufficient to allow decryption of the system kvp.
-        rbac_utils = get_rbac_backend().get_utils_class()
-        rbac_utils.assert_user_has_resource_db_permission(
-            user_db=UserDB(name=self._user),
-            resource_db=kvp,
-            permission_type=PermissionType.KEY_VALUE_PAIR_VIEW,
-        )
+            # Check that user has permission to the key value pair.
+            # If RBAC is enabled, this check will verify if user has system role with all access.
+            # If RBAC is enabled, this check guards against a user accessing another user's kvp.
+            # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp.
+            # The check is sufficient to allow decryption of the system kvp.
+            rbac_utils = get_rbac_backend().get_utils_class()
+            rbac_utils.assert_user_has_resource_db_permission(
+                user_db=UserDB(name=self._user),
+                resource_db=kvp,
+                permission_type=PermissionType.KEY_VALUE_PAIR_VIEW,
+            )
 
         return kvp.value if kvp else ""