Skip to content

Variables are not expanded in vault secrets path

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

Variable values are not expanded when utilized within the path for a default secrets definition for the vault engine. This results in a 403 response from the target vault server. However, if you utilize the full engine definiton variables are expanded.

This looks to be previously functioning behavior, after this issue was addressed.

Steps to reproduce

  1. Configure a project with a functioning vault integration.
  2. Once a functioning vault integration and CI job have been configured, attempt to utilize a variable for the secret path. The variable will not be expanded and a 403 response will be observed. Example:
variables:
  secret_path: "myproject/production/db/password@kv-v2"

vault_job:
...
  secrets:
    db_password:
      vault: $secret_path
      file: false

You can see an example of variable expansion working with the vault secret if you fully define the secret engine. Example:

variables:
  secret_path: "myproject/production/db"
  secret_field: "password"

vault_job:
...
secrets:
  db_password:
    vault:
      engine:
        name: kv-v2
        path: kv-v2
      path: $secret_path
      field: $secret_field
    file: false

What is the current bug behavior?

Variables are not expanded when utilizing the default vault secret definition. Variable expansion works when fully defining an engine configuration.

What is the expected correct behavior?

Variables are expanded when utilizing the default vault secret definition. Variable expansion also works when fully defining an engine configuration.

Output of checks

This bug happens on GitLab.com

Edited by 🤖 GitLab Bot 🤖