hashicorp-vault-plugin: Access denied to Vault Secrets at 'path/to/secret'

I have tried numerous things to get this working and it simply doesn’t. I verified the user does have access to the secret and can list it.

I’m guessing I’m simply doing something wrong.

Failing pipeline:

def secrets = [
    [path: 'path/to/dev']
]

pipeline {
   agent any

   stages {
      stage('vault') {
         steps {
            // inside this block your credentials will be available as env variables
            withVault([vaultSecrets: secrets]) {
                sh 'env'
            }
         }
      }
   }
}

This results in Access denied to Vault Secrets at 'path/to/dev'

I tried wrapping withVault as well:

def secrets = [
    [path: 'path/to/dev']
]

pipeline {
   agent any

   stages {
      stage('vault') {
         steps {
            withCredentials([[$class: 'VaultTokenCredentialBinding', credentialsId: 'jenkins_token', vaultAddr: 'https://vault.url.here']]) {
                // values will be masked
                sh 'echo TOKEN=$VAULT_TOKEN'
                sh 'echo ADDR=$VAULT_ADDR'
                
                withVault([configuration: [vaultUrl: VAULT_ADDR, vaultCredentialId: 'jenkins_token', engineVersion: 2], vaultSecrets: secrets]) {
                    sh 'env'
                }
            }
         }
      }
   }
}

No matter what I do…it fails:

Masking supported pattern matches of $VAULT_ADDR or $VAULT_TOKEN or $VAULT_NAMESPACE
[Pipeline] {
[Pipeline] sh
+ echo 'TOKEN=****'
TOKEN=****
[Pipeline] sh
+ echo 'ADDR=****'
ADDR=****
[Pipeline] wrap
Access denied to Vault Secrets at 'path/to/dev'

About this issue

Original URL
State: open
Created 4 years ago
Reactions: 1
Comments: 25 (7 by maintainers)

Most upvoted comments

A helpful piece would be to “validate credentials” option in the settings so we can test there to make sure the creds are good.

johncblandii on Feb 1, 2020

Ahhhhhhh…so the 403 is a misnomer. I went back to trying my token and it worked after I changed my path to: app%2Fdev/secret

Another option is use prefixPath in the configuration. @johncblandii 's example above:

def secrets = [
    [
        path: 'path/to/secret', 
        engineVersion: 2, 
        secretValues: [
            [envVar: 'application_name', vaultKey: 'application_name']
        ]
    ]
]

def configuration = [
    vaultUrl: 'https://my.vault.app',
    vaultCredentialId: 'admin-cred',
    engineVersion: 2,
    prefixPath: "app/dev/secret"
]

The above would lookup the secret in app/dev/secret/path/to/secret. An yes, as @johncblandii mentioned, escaping slashes in the namespace part of the path only also works, eg:

def secrets = [
    [
        path: 'app%2Fdev/secret/'path/to/secret', 
        engineVersion: 2, 
        secretValues: [
            [envVar: 'application_name', vaultKey: 'application_name']
        ]
    ]
]

def configuration = [
    vaultUrl: 'https://my.vault.app',
    vaultCredentialId: 'admin-cred',
    engineVersion: 2,
]

IMO, this is a bug that needs fixing, since I imagine most people would just try to access the secret via the full path, instead of using prefixPath 🤷

tiadobatima on Jul 21, 2022

Are you sure you are using engineVersion 2? Try setting it to 1

jetersen on Feb 3, 2020