Issue Fetching Multiple Secrets with vault-action@v2.7.3 using AppRole Authentication

srishti772 · March 18, 2025, 1:33pm

Hello everyone,

I’m currently trying to fetch multiple secrets using vault-action@v2.7.3 in GitHub Actions with AppRole authentication, but it’s not working as expected. I wanted to see if anyone has encountered a similar issue or has any insights.
For fetching a particular secret with the key name is working fine.

Environment:

Vault-Action Version: v2.7.3
Server OS/Architecture: Ubuntu-latest

Issue Description:

I am using the following configuration in my GitHub Actions workflow to fetch multiple secrets:

- name: Get Secrets
  id: secrets
  uses: hashicorp/vault-action@v2.7.3
  with:
    roleId: ${{ secrets.VAULT_ROLE_ID }}
    secretId: ${{ secrets.VAULT_SECRET_ID }}
    url: ${{ secrets.VAULT_ADDR }}
    method: approle
    secrets: |
      github/secrets/secret_name * | MYAPP_ ;

Expected Behavior:

The secrets should be fetched in JSON format as follows:

{
"MYAPP_key1": "secret1",
"MYAPP_key2": "secret2"
"MYAPP_key3": "secret3"
}

Log Output:

Test Case	Error
`github/secrets/secret_name * \| MYAPP_ ;`	Unable to retrieve result for data.data.“**”. No match data was found. Double check your Key or Selector.
`github/secrets/secret_name ** \| MYAPP_ ;`	Unable to retrieve result for data.data.“*”. No match data was found. Double check your Key or Selector.

Additional Context:

When I use the Vault CLI, I get the expected output using the following command:

vault kv get -format=json -field=data github/secrets/secret_name

Output:

{
"key1": "secret1",
"key2": "secret2",
"key3": "secret3"
}

Is there a way to achieve the same output using vault-action in GitHub Actions? Any help or guidance would be greatly appreciated!
fetching a particular secret with the key name is working fine.

- name: Get Secrets
  id: secrets
  uses: hashicorp/vault-action@v2.7.3
  with:
    roleId: ${{ secrets.VAULT_ROLE_ID }}
    secretId: ${{ secrets.VAULT_SECRET_ID }}
    url: ${{ secrets.VAULT_ADDR }}
    method: approle
    secrets: |
      github/secrets/secret_name key1 | KEY1;

Thanks in advance!

jonathanfrappier · March 24, 2025, 1:09pm

Any errors in the Vault or GitHub action logs?

srishti772 · March 24, 2025, 3:05pm

Unable to retrieve result for data.data.“*”. No match data was found. Double check your Key or Selector.
This is the exact message from the github actions logs

jonathanfrappier · March 24, 2025, 3:26pm

Thanks and apologies for missing that in the table you originally provided, I was hyper focused on the yaml.

Are you using kv v1 or v2? Based on your secrets path (no /data) can I assume v1?

secrets: |
      github/secrets/secret_name key1 | KEY1;

srishti772 · March 24, 2025, 4:02pm

Oh wait its actually v2 version engine.. i have versioning on my secrets

jonathanfrappier · March 24, 2025, 5:00pm

Try updating your secret path to include data. If you enabled the secret engine at the path github then it would be something like github/data/secrets/secret_name.

srishti772 · March 24, 2025, 7:26pm

Thanks
i tried with : gihub/data/secrets/test * | APP_ and its giving me the same error.

Unable to retrieve result for data.data.“*”. No match data was found. Double check your Key or Selector.

Actually this is what i tried initially but while scrubbing the details in the post I missed to add ‘data’ in the path.

jonathanfrappier · March 31, 2025, 3:31pm

Hi @srishti772 - apologies for the delay in getting back to you. I haven’t worked with GitHub actions before so was testing our documentation against your scenario.

I used the token auth method just to rule out any other issues with authentication, etc and focused on returning multiple secrets with the * glob.

I wrote 2 secrets accessKey and accessKey2, verified the path in the UI just to be sure

The action is (copied from your post and modified to support namespaces)

- name: Import Secrets
        id: import-secrets
        uses: hashicorp/vault-action@v2
        with:
          url: https://vault***.hashicorp.cloud:8200
          token: foo
          namespace: "admin"
          secrets: |
            secret/data/ci/aws * | AWS_ACCESS_KEY_ID
      - run: echo ${{ steps.import-secrets.outputs.AWS_ACCESS_KEY_ID }}

And here is the output (for some reason throwing sed in there with multiple secrets isnt displaying the secret, but with a single secret it did display the secret)

  echo 
  shell: /usr/bin/bash -e {0}
  env:
    AWS_ACCESS_KEY_IDACCESSKEY: ***
    AWS_ACCESS_KEY_IDACCESSKEY2: ***

Next steps if I were troubleshooting this in your place, try the token auth method and a test policy that is overly permissive to read the secrets. If that works, try the policy you are currently using with the token auth method and keep working your way back to the desired configuration to determine where the breakdown is.

Topic		Replies	Views
Inconsistent retrieving secrets from hashicorp vault Vault vault	0	452	September 3, 2020
HCSEC-2021-13 - Vault GitHub Action Did Not Correctly Mask Multi-Line Secrets In Output Security security-vault	0	7606	May 6, 2021
Vault variables not fetched using AppRole auth method Vault k8s , vault	4	384	July 27, 2022
Cannot log in to HashiCorp Vault using APPROLE method: permission denied Vault	6	101	January 30, 2025
Cannot retrieve secrets v2, with complex path Vault	1	964	December 15, 2022