Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
We’ve updated our product names and community labels - click here for full details

Configuration of HashiCorp Vault Paremeter Context : Error "Cannot login using Kubernetes: permission denied"

Labels:
avatar
author-rank Alf015
Contributor

Created ‎10-20-2025 06:28 AM

Hello 

I'm trying to use Nifi Hashi Corp Vault Parameter Provider with Kubernetes authentication.
 - Nifi versions is 2.4.0
 - Hashi Corp version is 1.19.5

From my Nifi pod I get to authenticate successfully using the following curl 

curl -s -k -X POST -H 'X-Vault-Namespace: DATA/DATAOPE/EC002I002621/' -H 'X-Vault-Request: true' -d '{"jwt": "<content of file /var/run/secrets/kubernetes.io/serviceaccount/token>", "role": "role_k8s_auth_demo_re_ns002i007839"}' https://hvault.staging.my_company/v1/auth/kubernetes_demo_re_ns002i007839/login

From the pod I then get to make a successful secret retrieval with the follwing curl

curl -H "X-Vault-Request: true" -H "X-Vault-Namespace: DATA/DATAOPE/EC002I002621/" -H "X-Vault-Token: <token retrieved by previous command>" https://hvault.staging.my_company/v1/secret/data/test

I try to make sense of the doc and cannot get to a working configuration

I setup my HashiCorp Vault Client with the following properties direct properties

vault.kubernetes.kubernetes-path                       kubernetes_demo_re_ns002i007839
vault.kubernetes.role                                  role_k8s_auth_demo_re_ns002i007839
vault.namespace                                        DATA/DATAOPE/EC002I002621/
and set up the SSL context service appropriately.

I set up my Parameter Provider with the following direct properties
key value path :                     DATA/DATAOPE/EC002I002621/secret/
version :                                    kv 2
secret name pattern :           .*

I get the following error message : 
Error fetching parameters for ParameterProvider[id=xxxx]:
Cannot login using Kubernetes: permission denied

Can someone help me sort out what I'm doing wrong ?
Is there a way to dump the API calls made by the Parameter Provider ?

Regards.

 

 

 

 

 
Regards

577 Views
0 Kudos
1 REPLY 1

avatar
author-rank vafs author-rank
Master Collaborator

Created ‎02-12-2026 08:41 AM

Hello @Alf015

I found two thing that may be causing this issue. 
First, the "vault.namespace" should not have the "/" at the end: 
https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configur...

On the Paramenter Provider, "key value path" should be only "secret", all the rest is taken from the header. 
https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi/nifi-hashicorp-vault-nar/1.28.0/or... 

Try those changes and let us know if this fails. 
If it does, maybe the Debug level for those modules can provide more information: 

<logger name="org.apache.nifi.vault" level="DEBUG"/>
<logger name="org.apache.nifi.parameter" level="DEBUG"/>
<logger name="org.springframework.vault" level="DEBUG"/>

Regards,
Andrés Fallas
--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs-up button.
192 Views
Announcements
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
What's New @ Cloudera
Announcing Cloudera Streaming Analytics Operator for Kuberne...
What's New @ Cloudera
Announcing Cloudera Data Services 1.5.5 SP2: AI Inference an...
View More Announcements