<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=582381) </details> <!--IssueSummary end--> <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "type::bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=type::bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary OpenBao returns a 500 error when a CI job attempt to fetch secret, and the job doesn't define a deployment [environment](https://docs.gitlab.com/ci/environments/). ### Steps to reproduce In a blank project where secrets manager is enabled, 1. Create a secret that accepts any environment (wildcard). 2. Set up a CI job that fetches that secret but doesn't have an `environment` definition. ```yaml job: secrets: TEST_SECRET: gitlab_secrets_manager: name: mysecret script: - cat $TEST_SECRET ``` ### What is the current *bug* behavior? OpenBao returns a 500 error. Note: The CI job succeeds when an environment is added its definition. ```yaml job: secrets: TEST_SECRET: gitlab_secrets_manager: name: mysecret script: - cat $TEST_SECRET environment: name: staging url: https://staging.example.com ``` ### What is the expected *correct* behavior? Fail explicitly. ### Relevant logs and/or screenshots ``` Running with gitlab-runner 18.6.1 (b5e9c6d0) on gitlab-gitlab-runner-779d78bfd6-pj2vs Yx2qNb2EQ, system ID: r_0cxbblNF3VId Resolving secrets Resolving secret "TEST_SECRET"... Using "gitlab_secrets_manager" secret resolver... ERROR: Job failed (system failure): resolving secrets: getting secret: get secret data: reading from Vault: api error: status code 500: failed to perform inline authentication: failed to template policy [6]: unable to apply template: template: template:1:54: executing "template" at <.environment>: map has no entry for key "environment" ``` ### Possible fixes - Fail explicitly, and tell that an environment is required. - Alternatively, make it pass when the secrets accepts any environment (wildcard). - Document behavior in troubleshooting section of user docs.