Plugin version 3.7.0 results in "Access denied to Vault Secrets"

[niclan]

Hi,

Since we upgraded to Vault plugin 3.7.0 yesterday we have had random bad builds with empty secrets environment variables. In the logs we typicaly find this:

Vault: Reading path sports/.../staging
[Pipeline] echo
Vault: Reading key NEWRELIC_KEY
[Pipeline] withVault
Retrieving secret: sports/.../staging
Access denied to Vault Secrets at 'sports/.../staging'

the last line seems to come from this change: https://github.com/jenkinsci/hashicorp-vault-plugin/blob/5a1eedadbde028ac133764c83bbd2c7af5098b00/src/main/java/com/datapipe/jenkins/vault/VaultBuildWrapper.java#L192-L193

Looking at the release notes we find "Support tokens with expiration while fetching secrets #133 (#138) @ash1425"

Our jenkins is accessing vault with this role:

vault write auth/approle/role/jenkins \
    secret_id_ttl=0 \
    token_num_uses=10 \
    bound_cidr_list="$CIDRLIST" \
    token_ttl=20m \
    token_max_ttl=30m \
    policies="read-all"

the read-all policy goes like this:

vault policy write read-all - <<EOF
{ "path": { "*":{ "capabilities": [ "read" ] } } }
EOF

I think there is reason to suspect that the new token handling could be better.

[niclan]

This seems related to #156 since we too set token_num_uses.