Reputation: 1858
Jenkins hashicorp-vault-plugin empty result
I tried the Jenkins Pipeline Example mentioned here: https://plugins.jenkins.io/hashicorp-vault-plugin
node {
// define the secrets and the env variables
def secrets = [
[$class: 'VaultSecret', path: 'secret/testing', secretValues: [
[$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'value_one'],
[$class: 'VaultSecretValue', envVar: 'testing_again', vaultKey: 'value_two']]],
[$class: 'VaultSecret', path: 'secret/another_test', secretValues: [
[$class: 'VaultSecretValue', envVar: 'another_test', vaultKey: 'value']]]
]
// optional configuration, if you do not provide this the next higher configuration
// (e.g. folder or global) will be used
def configuration = [$class: 'VaultConfiguration',
vaultUrl: 'http://my-very-other-vault-url.com',
vaultCredentialId: 'my-vault-cred-id']
// inside this block your credentials will be available as env variables
wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
sh 'echo $testing'
sh 'echo $testing_again'
sh 'echo $another_test'
}
}
So I installed hashicorp-vault-plugin 2.2.0 in Jenkins 2.173 and started a Vault (v1.1.1) Docker Container using
docker run -d --name vaulttest -p 80:8200 --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' vault
Next I configured a token credential within Jenkins using token "myroot"
I created the Secrets within Vault (using the WebUI)
testing
value_one
value_two
another_test
value
First of all there is an error within the example: When using path "secret/testing" and "secret/another_test" the plugin fails with an error 404:
Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get' for this operation."
This can be fixed when using path "secret/data/testing" and "secret/data/another_test" (see https://issues.jenkins-ci.org/browse/JENKINS-44900)
When then calling the Job the Variables seem to be empty:
[Pipeline] sh
+ echo
[Pipeline] sh
+ echo
[Pipeline] sh
+ echo
The connection definitely works because when providing invalid credentials or invalid paths I receive errors.
Also retrieving the Secrets directly return a valid response:
/ # vault kv get secret/testing
====== Metadata ======
Key Value
--- -----
created_time 2019-04-17T05:31:23.581020191Z
deletion_time n/a
destroyed false
version 3
====== Data ======
Key Value
--- -----
value_one HUGO
value_two BETTY
What am I missing here?
Upvotes: 0
Views: 3607
Answers (1)
Reputation: 1858
As seen here https://issues.jenkins-ci.org/browse/JENKINS-52646 Vault KV V2 returns a different Json Resonse.
So you have to use
def secrets = [
[$class: 'VaultSecret', path: 'secret/data/testing', secretValues: [
[$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'data']]]
]
to retrieve the correct json response.
The resulting Json-Response can then be passed to "readJSON"
def result = readJSON text: testing
echo result.value_one
echo result.value_two
Upvotes: 0
Related Questions
- Using Vault with docker-compose file
- Hashicorp Vault cli return 403 when trying to use kv
- How to fetch secrets from vault to my jenkins configuration as code installation with helm?
- Getting Jenkins git repo credentials from Vault
- hashicorp vault integration with Jenkins pipeline
- How to access Vault credentials in pipeline
- Error checking seal status while connecting to Vault Docker
- Getting and put all secret in an env file on Jenkins and hashicorp vault
- Is it possible to get credentials from Vault in Jenkins file ?
- Error Creating Vault - Missing S3 Bucket Flag?