Cannot retrieve secrets v2, with complex path

Vault
1

Hello,

I’m testing HashiCorp Vault integration with Jenkins by running it with Docker in Dev mode.

Currently I can retrieve secrets from engines with simple path name like,

  • secret/userpass
  • mysecret/userpass

Further testing, I started to have my engines with a bit more complex path name like,

  • kv/somecred/google/db/userpass (This reflects from my production version usage)

However, I cannot retrieve the one with complex path “kv/somecred/google/db/userpass” as normally.

Here is my Jenkins pipeline

node {
def secrets = [
[
path: ‘secret/userpass’,
engineVersion: 2,
secretValues: [
[envVar:‘passwdd’, vaultKey: ‘user’]
]
],
[
path: ‘mysecret/userpass’,
engineVersion: 2,
secretValues: [
[envVar:‘passv2’, vaultKey: ‘user’]
]
],
[
path: ‘kv/somecred/google/db’,
engineVersion: 2,
secretValues: [
[envVar:‘passwddd’, vaultKey: ‘user’]
]
],
]

def configuration = [vaultUrl: ‘http://vault:8200’,
vaultCredentialId: ‘vault-jenkins-role’,
engineVersion: 2,
skipSslVerification: true,
timeout: 60]

withVault([configuration: configuration, vaultSecrets: secrets]) {
sh ‘echo $passwdd’
sh ‘echo $passv2’
sh ‘echo $passwddd’
}
}

And my jenkins role policy

While on Jenkins I cannot retrieve it, on CLI, it can be retrieved normally, with AppRole generated token logged in.

2

Unfortunately, Jenkins’ integration with Vault is not very good.

It is inconsistent with how it deals with the Vault KV v2 secrets engine, and it has one error that it returns for pretty much all failures, concealing what actually went wrong.

There is an important detail you have not mentioned in your post: which parts of the path kv/somecred/google/db are the path to the KV v2 secrets engine mount, and which parts are the path within the secrets engine?

The Vault CLI command vault secrets list shows all your mounted secrets engines - could you paste its output?

When using Jenkins withVault, you need to pass the path to the KV v2 secrets engine mount in configuration.prefixPath, and the path within the secrets engine in vaultSecrets[*].path. This does mean you cannot access multiple secrets engines in one withVault call, if any of them are KV v2.

To further cause confusion, the handling of prefixPath vs. path here is inconsistent with prefixPath and path used when defining a Jenkins credential of a Vault type - there, the prefixPath still needs to be set, but the path needs to be set to the full path, repeating the value included in prefixPath !