hashicorp-vault-plugin
hashicorp-vault-plugin copied to clipboard
jenkinsci
Read secrets from vault path gives access denied
Hello
I am being able to read secrets from our vault using the generated vault token in vault secret api command. But jenkins throws Access denied for the same token configured through both "Vault token file credential" and "Vault token credential". I've tried using both freestyle and pipeline script to execute this and both gives the same "Access Denied" error.
The token field is empty when i try to update the credential and i always see it as empty even after i paste the token and click on save. Usually passwords in other credentials types are shown as concealed in latest version of jenkins. My jenkins version is 2.255 and vault plugin version is 3.6.1. The secret path is exactly same as what i used in my api command. (secret/
I've also created a custom log for vault using the debugger line "com.datapipe.jenkins.vault" but that show no logs related to the execution. How can i debug this?
The token field is empty when i try to update the credential and i always see it as empty even after i paste the token and click on save.
Because the token is of type password, it will show as empty only on update. Whoever is updating cannot see the old token. But the correct value will be store in jenkins.
I have tried with above mentioned version, it is working fine. So, I suspect the problem is with
- wrong vault token
- vault token doesnt have enough permission(policy) to fetch secrets in the path you specified.
Can you try to verify the token once ?
export VAULT_ADDR=<your_vault_addr>
vault login <vault_token>
vault kv get secret/<secret-name>
If this works, then vault plugin should work for sure
Hello Dinesh Our vault token was generated from an approle and it gets renewed everyday through a crontab on jenkins local server.. So its very much alive as we are already being able to fetch the secrets from the jenkins server using the curl command with same vault url, token and secret_path but the plugin is unable to do the same using the same token, url, secrets path on the jenkins UI. Is there a debug mode which I can use to see whats happening with the plugin execution while trying to fetch the secret.
On Sun, Sep 13, 2020, 3:15 AM Dinesh B [email protected] wrote:
The token field is empty when i try to update the credential and i always see it as empty even after i paste the token and click on save.
Because the token is of type password, it will show as empty only on update. Whoever is updating cannot see the old token. But the correct value will be store in jenkins.
I have tried with above mentioned version, it is working fine. So, I suspect the problem is with
- wrong vault token
- vault token doesnt have enough permission(policy) to fetch secrets in the path you specified.
Can you try to verify the token once ?
export VAULT_ADDR=<your_vault_addr> vault login <vault_token> vault kv get secret/
If this works, then vault plugin should work for sure
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jenkinsci/hashicorp-vault-plugin/issues/125#issuecomment-691625013, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGTXR4WL5WHTDASITFTKN5TSFRWRRANCNFSM4RAZWXMQ .
Fixed my issue. I've been using the secret name in the Key name field where I am actually supposed to use "value" for a single secret of type foo=bar. And I've put my secret name in the path.
On Sun, Sep 13, 2020, 10:59 AM Mallareddy Sandeep < [email protected]> wrote:
Hello Dinesh Our vault token was generated from an approle and it gets renewed everyday through a crontab on jenkins local server.. So its very much alive as we are already being able to fetch the secrets from the jenkins server using the curl command with same vault url, token and secret_path but the plugin is unable to do the same using the same token, url, secrets path on the jenkins UI. Is there a debug mode which I can use to see whats happening with the plugin execution while trying to fetch the secret.
On Sun, Sep 13, 2020, 3:15 AM Dinesh B [email protected] wrote:
The token field is empty when i try to update the credential and i always see it as empty even after i paste the token and click on save.
Because the token is of type password, it will show as empty only on update. Whoever is updating cannot see the old token. But the correct value will be store in jenkins.
I have tried with above mentioned version, it is working fine. So, I suspect the problem is with
- wrong vault token
- vault token doesnt have enough permission(policy) to fetch secrets in the path you specified.
Can you try to verify the token once ?
export VAULT_ADDR=<your_vault_addr> vault login <vault_token> vault kv get secret/
If this works, then vault plugin should work for sure
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jenkinsci/hashicorp-vault-plugin/issues/125#issuecomment-691625013, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGTXR4WL5WHTDASITFTKN5TSFRWRRANCNFSM4RAZWXMQ .