secret engine "/" can't be encode if use engine version 2.

[klw0539]

If there is a slash "/" in secret engine in engine version 2, it can not be encode correctly. we need to encode it manually in Jenkinsfile.

e.g.:

If the secret engine is secret/test. If we use secret/test/somesecret in Jenkinsfile, it will failed with "access denied." we need to set the engine to secret%2Ftest, the the plugin can visit secret/test/somesecret.

[jetersen]

not sure I follow. Your secret path is secret/test/somesecret ? or is your key vault secret/test ?

[klw0539]

sorry for misunderstanding, please follow below screenshot. the secret engine is "secret/wse-platform", the secret path is deployment/dev/w3/hsp1.

In the Jenkinsfile, I need to set the path to:

secret%2Fwse-platform/deployment/dev/w3/hsp1

rather than:

secret/wse-platform/deployment/dev/w3/hsp1

[GonzalezAndrew]

I can also confirm this behavior. We have secret engines names that use the forward slash character. For example:

If I try to access the secret engines listed above with the following code, I receive an accessed denied error.

node {
    def secrets = [
        [path: 'cdp/globals/testing', engineVersion:2, secretValues: [
            [envVar: 'example1', vaultKey: 'cdp-test1'],
            [envVar: 'example2', vaultKey: 'cdp-test2']]]
    ]
    
    def configuration = [
        vaultUrl: 'https://vault.example.com',
        vaultCredentialId: 'vault-keys',
        engineVersion: 2
    ]

    withVault([configuration: configuration, vaultSecrets: secrets]) {
        sh 'echo $example1'
        sh 'echo $example2'
    }
}

But when I add %2F the plugin works as expected:

node {
    def secrets = [
        [path: 'cdp%2Fglobals/testing', engineVersion:2, secretValues: [
            [envVar: 'example1', vaultKey: 'cdp-test1'],
            [envVar: 'example2', vaultKey: 'cdp-test2']]]
    ]
    
    def configuration = [
        vaultUrl: 'https://vault.example.com',
        vaultCredentialId: 'vault-keys',
        engineVersion: 2
    ]

    withVault([configuration: configuration, vaultSecrets: secrets]) {
        sh 'echo $example1'
        sh 'echo $example2'
    }
}

[jetersen]

I suspect this is an issue with the library and not the plugin as we are simply passing the path variable to the library.

[jetersen]

Reading the issues over at the library seems you should use prefixPath: https://github.com/BetterCloud/vault-java-driver/issues/155

node {
    def secrets = [
        [path: 'testing', engineVersion:2, secretValues: [
            [envVar: 'example1', vaultKey: 'cdp-test1'],
            [envVar: 'example2', vaultKey: 'cdp-test2']]]
    ]
    
    def configuration = [
        vaultUrl: 'https://vault.example.com',
        vaultCredentialId: 'vault-keys',
        engineVersion: 2,
        prefixPath: 'cdp/globals'
    ]

    withVault([configuration: configuration, vaultSecrets: secrets]) {
        sh 'echo $example1'
        sh 'echo $example2'
    }
}

[PikaChokeMe]

For whatever it is worth on this two year old issue, with version hashicorp-vault-plugin:359.v2da_3b_45f17d5 of this plugin I was still completely unable to get this working with prefixPath

My secret according to curl and the vault CLI lives at secrets/kv/data/my/secret/here In order to get this working I had to completely unset the prefixPath both in my secret and in the global vault configuration and then supply the full path as secrets%2Fkv/my/secret/here without including the data part of the path myself. This is the only thing that worked.

With prefixPath: secrets%2Fkv/ and Path: my/secret/here or /my/secret/here or data/my/secret/here or any kind of variant of the such I could NOT get this to function, at all.

I'm assuming that somehow internally by supplying a full path secrets%2Fkv/my/secret/here the plugin internally inserts data/ after the "first" slash secrets%2Fkv/ to build the full proper path secrets/kv/data/my/secret/here but I'm not entirely sure.

I hope in the future this comment saves someone else far more time than I spent on this.