Failed to parse mountpoint with missing type field error

PostgreSQL PG_TDE – Transparent Data Encryption (TDE)
1

I’m running into errors when trying to create Vault keys and I’m running out of ideas on why this is happening. Does anyone have advice on ways to extract more detailed logs to debug this issue?

My Vault policy configuration looks like this:

path "myapp-tde/data/*" {
  capabilities = ["read", "create", "update", "list"]
}

path "myapp-tde/metadata/*" {
  capabilities = ["read", "list"]
}

path "sys/mounts/*" {
  capabilities = ["read"]
}

And the PGSQL call I’m using to add the Vault key provider:

SELECT pg_tde_add_global_key_provider_vault_v2(
  'vault-provider',
  'https://vault.example.internal',
  'myapp-tde/data/global-key',
  '/etc/postgresql/secrets/vault_token.txt',
  '/etc/pki/ca-trust/source/anchors/ca.crt',
  'app-npd/'
);

Error:

ERROR: failed to parse mount info for "https://vault.example.internal" at mountpoint "myapp-tde/data/global-key": missing type field

I’ve verified my policy and paths, but I’m still hitting this error. Any tips on how to get more detailed Vault or PostgreSQL logs to understand what’s failing would be greatly appreciated.

2

Hello @Butterfly

There are two issues in this configuration.

First is, myapp-tde/data/global-key should be simply myapp-tde

The second is that we still have an issue in our namespace support because of a bug in HashiCorp Vault, we will add a workaround in our next release. Until then, our namespace support only works with OpenBao.