Vault secret not pulled properly: "secrets may not be converted into strings"

machine2025 · April 23, 2025, 3:58pm

Hey,

I’m trying to integrate Alloy with my hashicorp Vault cluster and unfortunately my Alloy pods are not starting due to the following error:

Error: /etc/alloy/config.alloy:15:18: remote.vault.cluster.data.LOKI_USER secrets may not be converted into strings

Here is my config file:

remote.vault "cluster" {
  server = "https://vault-cluster.default:8200"
  path = "default"
  key = "loki/secret"
  auth.kubernetes {
    role = "alloy"
  }
}

loki.write "loki_endpoint" {
  endpoint {
    url = "https://loki.default:3100"
    basic_auth {
       username = remote.vault.cluster.data.LOKI_USER
       password = remote.vault.cluster.data.LOKI_PASSWORD
    }
  }
}

I’m not entirely sure what’s wrong here, the secrets in vault are in string form. I’m on Alloy 1.8.2 version. Did anyone stumble upon this issue?

machine2025 · April 24, 2025, 11:24am

Solved. Just in case someone encounters the same issue - Loki component expects url and basic_auth.username to not be secrets so they need to be wrapped in convert.nonsensitive(). Loki component documentation clearly states this, I just missed it.

Topic		Replies	Views
How to configure alloy basic_auth section with encrypted password Grafana Alloy loki	5	726	October 17, 2024
Blackbox secrets / credentials - Hashicorp - remote.vault Grafana Alloy alloy	1	65	July 30, 2024
Problems using the standard library expressions in config.alloy Grafana Alloy kubernetes , helm , alloy	3	187	January 24, 2025
Loki secret take control on secret I've provided Grafana Loki loki , kubernetes , helm	2	532	March 1, 2025
What is wrong with my configuration file? Grafana Alloy	23	174	March 5, 2025

Vault secret not pulled properly: "secrets may not be converted into strings"

Related topics