Fetching assume-role credentials fails with VaultPluginException: Vault credentials not found for 'aws/creds/jenkins-role'

[skumsi]

Jenkins and plugins versions report

Environment

CloudBees CI Client Controller version : 2.452.3.2
HashiCorp Vault Plugin Version : 371.v884a_4dd60fb_6

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

STEP 1:
Creating vault auth credentials:
Navigate to Manage Jenkins > Credentials > System > Global credentials
Click +Add Credential
Select Kind -> Vault App Role Credential
Select Scope -> Global
Set Role ID and Secret ID for the Approle meant for Jenkins from Vault.
Set Path to 'approle'
Set Namespace - value from vault
set ID - this is the credentials ID that will be needed to configure vault plugin in Jenkins system configuration.
Set Description for the credential.

Now that we have a credential that can authenticate with Vault, next step is to configure the Vault plugin.

STEP2:
Navigate to Manage Jenkins > Credentials > System > Vault Plugin
Enter Vault URL and select the credential created for Vautl authentication in the previous step.
Under Advanced settings
set Vault Namespace (this is a global setting)
set K/V engine version: 2
check 'Fail if path is not Found' and 'Skip SSL verification options'
Save

STEP 3:
Following is the Jenkins pipeline stage that fails to retrieve the temporary assume-role credentials:

stage('Get AWS AssumeRole Credentials') {
     steps {
         withVault(
         configuration: [
             vaultCredentialId: '<credentials ID from Step 1>', // Vault AppRole Credential ID in Jenkins Credentials
             vaultUrl: 'https://<your-vault-domain>.com'
         ],
         vaultSecrets: [
             [
                 path: 'aws/creds/jenkins-role',  // Vault path where your AssumeRole credentials are created
                 secretValues: [
                     [envVar: 'AWS_ACCESS_KEY_ID', vaultKey: 'access_key'],
                     [envVar: 'AWS_SECRET_ACCESS_KEY', vaultKey: 'secret_key'],
                     [envVar: 'AWS_SESSION_TOKEN', vaultKey: 'security_token'],
                 ]
             ]
         ]
         ) {
         // Now you have AWS credentials injected into environment variables
         sh '''
             echo "Accessing AWS with temp AssumeRole credentials..."
             aws sts get-caller-identity
         '''
         }
     }
 }

Expected Results

Jenkins to successfully set the AWS credentials and be able to get a successful response out of $aws sts get-caller-identity

Actual Results

Jenkins console output error

Also:   org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 65277e60-aa5b-46dd-8138-ca22e3f657e6
com.datapipe.jenkins.vault.exception.VaultPluginException: Vault credentials not found for 'aws/creds/jenkins-role'
	at com.datapipe.jenkins.vault.VaultAccessor.responseHasErrors(VaultAccessor.java:277)
	at com.datapipe.jenkins.vault.VaultAccessor.retrieveVaultSecrets(VaultAccessor.java:212)
	at com.datapipe.jenkins.vault.VaultBindingStep$Execution.doStart(VaultBindingStep.java:115)
	at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

Anything else?

TROUBLESHOOTING:

• $ vault read aws/creds/jenkins-role
  This command successfully returns the temporary credentials (access_key, secret_key and session_token)
• Adding a Log recorder for Vault Plugin Debug returns the following error:

Apr 28, 2025 12:44:33 PM FINE com.datapipe.jenkins.vault.credentials.AbstractVaultTokenCredentialWithExpiration tokenExpired
Expiration for  is java.util.GregorianCalendar[time=1745859578499,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="America/New_York",offset=-18000000,dstSavings=3600000,useDaylight=true,transitions=235,lastRule=java.util.SimpleTimeZone[id=America/New_York,offset=-18000000,dstSavings=3600000,useDaylight=true,startYear=0,startMode=3,startMonth=2,startDay=8,startDayOfWeek=1,startTime=7200000,startTimeMode=0,endMode=3,endMonth=10,endDay=1,endDayOfWeek=1,endTime=7200000,endTimeMode=0]],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2025,MONTH=3,WEEK_OF_YEAR=18,WEEK_OF_MONTH=5,DAY_OF_MONTH=28,DAY_OF_YEAR=118,DAY_OF_WEEK=2,DAY_OF_WEEK_IN_MONTH=4,AM_PM=1,HOUR=0,HOUR_OF_DAY=12,MINUTE=59,SECOND=38,MILLISECOND=499,ZONE_OFFSET=-18000000,DST_OFFSET=3600000], diff: -905093
Apr 28, 2025 12:44:33 PM FINE com.datapipe.jenkins.vault.credentials.AbstractVaultTokenCredentialWithExpiration tokenExpired
Auth token is still valid for policies ''

Vault plugin is failing to read the policy associated with the approle role.

• Verified from Vault CLI the role does have a policy associated with it.
  $ vault read sys/policy/cicd-operator
  Key Value
  name cicd-operator
  rules

   # Read secrets                                           
   path "+/*"                                      
   {                                               
   capabilities = ["read", "list"]                 
   }        
   # Permissions to the temporary 'aws' credentials
   path "aws/creds/*" 
   {                            
   capabilities = ["read", "list"]                 
   }
  

### Are you interested in contributing a fix?

_No response_