Configuration of HashiCorp Vault Paremeter Context : Error "Cannot login using Kubernetes: permission denied"

Alf015 — Mon, 20 Oct 2025 13:28:17 GMT

Hello

I'm trying to use Nifi Hashi Corp Vault Parameter Provider with Kubernetes authentication.
- Nifi versions is 2.4.0
- Hashi Corp version is 1.19.5

From my Nifi pod I get to authenticate successfully using the following curl

curl -s -k -X POST -H 'X-Vault-Namespace: DATA/DATAOPE/EC002I002621/' -H 'X-Vault-Request: true' -d '{"jwt": "<content of file /var/run/secrets/kubernetes.io/serviceaccount/token>", "role": "role_k8s_auth_demo_re_ns002i007839"}' https://hvault.staging.my_company/v1/auth/kubernetes_demo_re_ns002i007839/login

From the pod I then get to make a successful secret retrieval with the follwing curl

curl -H "X-Vault-Request: true" -H "X-Vault-Namespace: DATA/DATAOPE/EC002I002621/" -H "X-Vault-Token: <token retrieved by previous command>" https://hvault.staging.my_company/v1/secret/data/test

I try to make sense of the doc and cannot get to a working configuration

I setup my HashiCorp Vault Client with the following properties direct properties

vault.kubernetes.kubernetes-path kubernetes_demo_re_ns002i007839
vault.kubernetes.role role_k8s_auth_demo_re_ns002i007839
vault.namespace DATA/DATAOPE/EC002I002621/
and set up the SSL context service appropriately.

I set up my Parameter Provider with the following direct properties
key value path : DATA/DATAOPE/EC002I002621/secret/
version : kv 2
secret name pattern : .*

I get the following error message :
Error fetching parameters for ParameterProvider[id=xxxx]:
Cannot login using Kubernetes: permission denied

Can someone help me sort out what I'm doing wrong ?
Is there a way to dump the API calls made by the Parameter Provider ?

Regards.

Regards

Re: Configuration of HashiCorp Vault Paremeter Context : Error "Cannot login using Kubernetes: permission denied"

vafs — Thu, 12 Feb 2026 16:41:27 GMT

Hello @Alf015,

I found two thing that may be causing this issue.
First, the "vault.namespace" should not have the "/" at the end:
https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration

On the Paramenter Provider, "key value path" should be only "secret", all the rest is taken from the header.
https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi/nifi-hashicorp-vault-nar/1.28.0/org.apache.nifi.vault.hashicorp.HashiCorpVaultParameterProvider/

Try those changes and let us know if this fails.
If it does, maybe the Debug level for those modules can provide more information:

question Re: Configuration of HashiCorp Vault Paremeter Context : Error "Cannot login using Kubernetes: permission denied" in Support Questions

Configuration of HashiCorp Vault Paremeter Context : Error "Cannot login using Kubernetes: permission denied"

Re: Configuration of HashiCorp Vault Paremeter Context : Error "Cannot login using Kubernetes: permission denied"