Skip to content

Issue extracting nested JSON array secrets with ArgoCD Vault Plugin #705

Description

@pkgit36

Hi Team,

We are storing our secrets in Vault using this nested JSON format:


{
  "tls.crt": [
    {
      "data": {
        "test.com": "<certificate-string>"
      }
    }
  ],
  "tls.key": "<private-key-string>"
}

Our goal is to extract the certificate nested at tls.crt.data.test.com using:

tls.crt: <tls.crt | jsonPath {['tls.crt'][0].data.test.com}>
tls.key: <tls.key>

However, we receive this error from ArgoCD Vault Plugin:

jsonPath: tls is not found for placeholder tls.crt in string tls.crt: <tls.crt | jsonPath {['tls.crt'][0].data.test.com}>

We assume this happens because AVP is unable to locate the top-level key tls.crt and instead treats the dot as a delimiter, mistakenly searching for a key named tls.

To work around this, we renamed the key to tls_crt in Vault and updated the manifest accordingly:

tls_crt: <tls_crt | jsonPath {['tls_crt'][0].data.test.com}>

But we still get a similar error:

jsonPath: tls_crt is not found for placeholder tls_crt in string tls_crt: <tls_crt | jsonPath {['tls_crt'][0].data.test.com}>

It appears the plugin cannot correctly resolve nested JSON array keys through jsonPath expressions when the top-level value is a complex object or array.

Could you please advise if this is a known limitation of AVP or if there is a recommended way to handle nested JSON secrets in Vault?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions