[jira] [Updated] (NIFI-15152) Error getting Hashicorp Vault Secrets

Pierre Villard (Jira) Wed, 29 Oct 2025 08:10:06 -0700


     [ 
https://issues.apache.org/jira/browse/NIFI-15152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Pierre Villard updated NIFI-15152:
----------------------------------
    Status: Patch Available  (was: Open)

> Error getting Hashicorp Vault Secrets
> -------------------------------------
>
>                 Key: NIFI-15152
>                 URL: https://issues.apache.org/jira/browse/NIFI-15152
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Docker, NiFi API
>    Affects Versions: 2.6.0
>            Reporter: Koldo
>            Assignee: Pierre Villard
>            Priority: Major
>         Attachments: imagen.png
>
>
> I am trying to retrieve the secrets I have stored in Hashicorp Vault using 
> HashicorpVaultParameterProvider's Parameter Providers. 
> In this Vault, I have created a secret called secret/test with the following 
> content:
>  
> {code:java}
> [root@xxxx~]# vault kv get -format=json  secret/test
> {
> "request_id": "",
> "lease_id": "",
> "lease_duration": 0,
> "renewable": false,
> "data": {
>    "data": {
>      "foo": "bar"
>    },
>    "metadata": {
>      "created_time": "2025-10-06T13:13:02.158170743Z",
>      "custom_metadata": null,
>      "deletion_time": "",
>      "destroyed": false,
>      "version": 2
>    }
> },
> "warnings": null,
> "mount_type": "kv"
> }{code}
>  If I enter `test` in the Secret Name Pattern property, Nifi finds the 
> secret. The following logs can be seen from Vault, and it arrives correctly.
>  
> {code:java}
>  test --> OK 
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":["",""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"list","path":"secret/metadata/","remote_address":"","remote_port":},"time":"2025-10-29T13:47:57.382337725Z","type":"request"}
>  
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":["",""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"list","path":"secret/metadata/","remote_address":"","remote_port":},"response":{"data":{"keys":["hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:"]},"mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_plugin_version":"v0.24.0+builtin","mount_type":"kv"},"time":"2025-10-29T13:47:57.382919771Z","type":"response"}
>  
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":["",""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"read","path":"secret/data/test","remote_address":"","remote_port":},"time":"2025-10-29T13:47:57.389998021Z","type":"request"}
>  
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":["",""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"e97617c1-c62c-9012-3316-52bc74de6f49","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"read","path":"secret/data/test","remote_address":"","remote_port":},"response":{"data":{"data":{"foo":"hmac-sha256:"},"metadata":{"created_time":"hmac-sha256:","custom_metadata":null,"deletion_time":"hmac-sha256:","destroyed":false,"version":2}},"mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_plugin_version":"v0.24.0+builtin","mount_type":"kv"},"time":"2025-10-29T13:47:57.390356894Z","type":"response"}
>  
> {code}
>  
> Now I want to access a folder called suma/. In this folder, there is a secret 
> called secret/suma/nifi with the following content:
> {code:java}
> [root@xxx ~]# vault kv get -format=json  secret/suma/nifi
> {
>   "request_id": "40229dc6-a962-e064-1ba8-a0890f6f64ce",
>   "lease_id": "",
>   "lease_duration": 0,
>   "renewable": false,
>   "data": {
>     "data": {
>       "PASSWORD": "abcd",
>       "USER": "admin"
>     },
>     "metadata": {
>       "created_time": "2025-10-29T13:23:40.47500718Z",
>       "custom_metadata": null,
>       "deletion_time": "",
>       "destroyed": false,
>       "version": 2
>     }
>   },
>   "warnings": null,
>   "mount_type": "kv"
> }{code}
> If I enter suma/.* in the Secret Name Pattern property, I do not receive any 
> secrets and I get these logs:
>  
> {code:java}
> suma/.* --> KO 
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":[""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"list","path":"secret/metadata/","remote_address":"","remote_port":},"time":"2025-10-29T13:48:56.701121989Z","type":"request"}
>  
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":[""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"list","path":"secret/metadata/","remote_address":"","remote_port":},"response":{"data":{"keys":["hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:"]},"mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_plugin_version":"v0.24.0+builtin","mount_type":"kv"},"time":"2025-10-29T13:48:56.701611366Z","type":"response"}
>  
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":[""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"read","path":"secret/data/suma/","remote_address":"","remote_port":},"time":"2025-10-29T13:48:56.709238292Z","type":"request"}
>  
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":[""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"read","path":"secret/data/suma/","remote_address":"","remote_port":},"response":{"data":{"http_content_type":"hmac-sha256:","http_raw_body":"hmac-sha256:","http_status_code":404},"mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_plugin_version":"v0.24.0+builtin","mount_type":"kv"},"time":"2025-10-29T13:48:56.70951782Z","type":"response"}{code}
>  
> If I enter suma/nifi, I do not receive any secrets and I get these logs:
>  
> {code:java}
> suma/nifi --> KO 
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":[""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"list","path":"secret/metadata/","remote_address":"","remote_port":},"time":"2025-10-29T13:49:17.621899297Z","type":"request"}
>  
> {"auth":{"accessor":"hmac-sha256:","client_token":"hmac-sha256:","display_name":"","entity_id":"","identity_policies":[""],"metadata":{"role":""},"policies":[""],"policy_results":{"allowed":true,"granting_policies":[{"type":""},{"name":"policy-admin","namespace_id":"root","type":"acl"}]},"token_policies":["default"],"token_issue_time":"2025-10-17T13:05:25Z","token_ttl":2764800,"token_type":"service"},"request":{"client_id":"","client_token":"hmac-sha256:","client_token_accessor":"hmac-sha256:","headers":{"user-agent":["okhttp/5.1.0"]},"id":"","mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.24.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"list","path":"secret/metadata/","remote_address":"","remote_port":},"response":{"data":{"keys":["hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:","hmac-sha256:"]},"mount_accessor":"kv_ab700f9b","mount_class":"secret","mount_point":"secret/","mount_running_plugin_version":"v0.24.0+builtin","mount_type":"kv"},"time":"2025-10-29T13:49:17.622434369Z","type":"response"}{code}
>  
> Can you review it or give me a solution?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (NIFI-15152) Error getting Hashicorp Vault Secrets

Reply via email to