Secrets fetched from Vault appear empty - what am I missing?

claude · January 29, 2021, 11:10am

HI all,

I’m trying to fetch secrets from my Hashicorp Vault (as described in this walkthrough). However, secrets appear empty (i.e., contain <nil>).

Policy, role & the secret itself are all in place:

vault kv get secret/foo
=== Data ===
Key    Value
---    -----
bar    baz

When running the CI:

secret-via-keyword:
  stage: dummy
  tags:
    - some-tag  
  variables:
    VAULT_AUTH_PATH: jwt
    VAULT_AUTH_ROLE: readonly
    VAULT_SERVER_URL: https://some.host:8200
  secrets:
    BAR:
      vault: foo/bar@secret
  script:
    - echo 'Hello, world!'
    - echo $BAR
    - cat $BAR

Executing "step_script" stage of the job script
00:00
$ echo 'Hello, world!'
Hello, world!
$ echo $BAR
/home/gitlab-runner/builds/twdnURp8/0/some-host/some-repo.tmp/BAR
$ cat $BAR
<nil>
Cleaning up file based variables
00:00
Job succeeded

It seems /home/gitlab-runner/builds/twdnURp8/0/some-host/some-repo.tmp/BAR is empty - but how come?

Any help would be greatly appreciated.

Best,
Claude

simwak · March 1, 2021, 10:51pm

Having the same problem currently, but it’s kind of unpredictable as some variables sometimes work and some not. Do you have any update on that issue?

simwak · March 2, 2021, 4:10pm

We now know that GitLab sends no or completely malformed requests, as none of these are in the audit log of Vault. Another problem we have is, that GitLab parsed the path completely wrong which ends up in permission denied errors.

JohnMops · March 30, 2021, 6:42am

Any updates on this? I am getting nil values as well

guillem.suetta · September 24, 2021, 6:58am

I also have the same error. Apparently Vault returns the correct secrets but GitLab create empty secret files.

Any update on this?

mleopard · October 13, 2021, 11:45am

Are you using kv or kv2 for your secrets engine? I ran into this issue yesterday and I needed to upgrade my secrets engine to kv2. I used this command in vault to upgrade the engine.

vault kv enable-versioning <secrets-engine>

djgregor · November 11, 2021, 6:09am

Here is the issue to “Add support for Vault’s KV-V1 secrets engine” (right now, only kv-v2 is supported): Add support for Vault's KV-V1 secrets engine (#237799) · Issues · GitLab.org / GitLab · GitLab

maaft · January 5, 2022, 4:44pm

And then it did just work?

I also upgraded to v2 but it still doesn’t work.

I also changed the policy and added the “data” prefix.