claude
January 29, 2021, 11:10am
1
HI all,
I’m trying to fetch secrets from my Hashicorp Vault (as described in this walkthrough). However, secrets appear empty (i.e., contain <nil>
).
Policy, role & the secret itself are all in place:
vault kv get secret/foo
=== Data ===
Key Value
--- -----
bar baz
When running the CI:
secret-via-keyword:
stage: dummy
tags:
- some-tag
variables:
VAULT_AUTH_PATH: jwt
VAULT_AUTH_ROLE: readonly
VAULT_SERVER_URL: https://some.host:8200
secrets:
BAR:
vault: foo/bar@secret
script:
- echo 'Hello, world!'
- echo $BAR
- cat $BAR
Executing "step_script" stage of the job script
00:00
$ echo 'Hello, world!'
Hello, world!
$ echo $BAR
/home/gitlab-runner/builds/twdnURp8/0/some-host/some-repo.tmp/BAR
$ cat $BAR
<nil>
Cleaning up file based variables
00:00
Job succeeded
It seems /home/gitlab-runner/builds/twdnURp8/0/some-host/some-repo.tmp/BAR
is empty - but how come?
Any help would be greatly appreciated.
Best,
Claude
simwak
March 1, 2021, 10:51pm
2
Having the same problem currently, but it’s kind of unpredictable as some variables sometimes work and some not. Do you have any update on that issue?
simwak
March 2, 2021, 4:10pm
3
We now know that GitLab sends no or completely malformed requests, as none of these are in the audit log of Vault. Another problem we have is, that GitLab parsed the path completely wrong which ends up in permission denied errors.
Any updates on this? I am getting nil values as well
I also have the same error. Apparently Vault returns the correct secrets but GitLab create empty secret files.
Any update on this?
Are you using kv or kv2 for your secrets engine? I ran into this issue yesterday and I needed to upgrade my secrets engine to kv2. I used this command in vault to upgrade the engine.
vault kv enable-versioning <secrets-engine>
Here is the issue to “Add support for Vault’s KV-V1 secrets engine” (right now, only kv-v2 is supported): Add support for Vault's KV-V1 secrets engine (#237799) · Issues · GitLab.org / GitLab · GitLab
maaft
January 5, 2022, 4:44pm
8
And then it did just work?
I also upgraded to v2 but it still doesn’t work.
I also changed the policy and added the “data” prefix.