Task tight coupling when using credential store

I’m wondering if I’m missing something here, but I recently connected my Concourse instance with Hashicorp Vault, and it seems like tasks are now very tightly coupled with secrets.

Before using a credential manager, my pipeline would pass values to a task file using a vars block. This allowed for renaming of values from the main pipeline to the task, thus allowing the task to be more generic.

  access_key_id: ((special_user_access_key_id))

If I keep the same block above, but now use it with the credential store, I get an error when the task runs saying:

Expected to find variables: special_user_access_key_id

If I delete the vars block, and rename the expected interpolation in the task, it runs just fine. The problem though is as mentioned at the start, that the task definition is now tightly coupled with secret credential names. For common tasks that might be run with different contexts(different teams) this makes things pretty difficult.

I’m hoping I’m just missing something. If so, can someone please point me in the right direction to get this sorted out?


Question for clarification: when not using the credential store, when are you defining the value of ((special_user_access_key_id))?

There’s not enough information here to be helpful. However might I suggest you reload the pipeline using -v
special_user_access_key_id=testvalue option to verify if the problem is that the variable has just not been defined properly?

Remember that the logic in terms of variable resolution is to 1) get the value from local defined variables and 2) check in Vault. In other words this problem is likely not related to Vault but to local variable resolution i.e. the variables have not been loaded (-l or -v key=value).