Not able to get secrets from vault

Hello,

I’m running the latest concourse with Vault. It’s all configured and set up. Concourse is able to connect to Vault (success in the logs). It is able to query vault (can see that in the logs). The vars are in the right path (double checked that via the vault cli), it’s all there and in place, but when I run a git job, it’s not able to fetch the information from vault.

For testing purposes, I put the credentials into

  • /concourse/{team}/{pipeline}/username and /concourse/{team}/{pipeline}/password
  • /concourse/{team}/username and /concourse/{team}/password
  • /concourse/{global}/username and /concourse/{global}/password (“global” being set via CONCOURSE_VAULT_SHARED_PATH ).

It’s just not working and there is absolutely no error message anywhere except when the task is running, I get:

run check step: run check step: check: resource script ‘/opt/resource/check []’ failed: exit status 128

stderr:
Cloning into ‘/tmp/git-resource-repo-cache’…
fatal: could not read Username for ‘https://some.where’: No such device or address

The config in 'pipeline.yml, is as follows:

resources:
  - name: Some-Image
    type: git
    source:
      uri: https://some.where/Some-Image.git
      branch: devel
      submodule_credentials:
      - host: some.where
        username: ((username))
        password: ((password))

I also tried the other configuration option, as described on the git-resource git repository:

resources:
  - name: Some-Image
    type: git
    source:
      uri: https://some.where/Some-Image.git
      branch: devel
        username: ((username))
        password: ((password))

Not working either.

When I check that the vars are in place, I get:

# vault read /concourse/global/username
Key                 Value
---                 -----
refresh_interval    768h
username      someusername

Same for the password:

# vault read /concourse/global/password
Key                 Value
---                 -----
refresh_interval    768h
password      somepassword

Of course I did the same for /concourse/team and /concourse/team/pipeline.

According to the docs:

Credential lookup rules

When resolving a parameter such as ((foo_param)), Concourse will look in the following paths, in order:

/concourse/TEAM_NAME/PIPELINE_NAME/foo_param

/concourse/TEAM_NAME/foo_param

Vault credentials are actually key-value, so for ((foo)) Concourse will default to the field name value. You can specify the field to grab via . syntax, e.g. ((foo.bar)).

If the action is being run in the context of a pipeline (e.g. a check or a step in a build of a job), Concourse will first look in the pipeline path. If it's not found there, it will look in the team path. This allows credentials to be scoped widely if they're common across many pipelines.

If an action is being run in a one-off build, Concourse will only look in the team path.

The leading /concourse can be changed by specifying the following:

I assume that the “key” doesn’t matter as long as the “value” is set or do I have to set “key” to “value” ?

I tried to use ((vault:username)), “((vault:username))” “((username.key))” “((vault:username.key))” and so on. It’s just not working.

Any ideas? Hints?

I’m lost.

Thanks!

KR,

G.

Now call me nuts, a minute after writing this it’s working.

Ran into the problem again…

Turns out, the key’s value needs to be “value” (lower case) and the value’s value needs to be the value you need. To clarify:

vault write /concourse/team/somevar/ value=“somevalue”

KR,

G.

1 Like