Vault credentials not found using Vault plugin, but works with VaultTokenCredentialBinding

[gracechensd]

Hi! I'm hoping to maybe get some pointers or guidance on an error.

I need to obtain credentials at the path v1/ci/kv/my/secret. We are using engine version 1. I have the credentials for a Vault approle, along with the correct login path, saved in a Jenkins secret. The Vault plugin options in the global configuration is set up to use our vault address and the Vault approle credential, engine version 1, fail if path is not found. Jenkins version 2.277.4, Vault plugin 3.7.0

Here's the test pipeline that I have going on, trying out both withCredentials() and Vault Plugin's withVault() as outlined here

stage("Test"){
    node(defaultNodeLabel()){
        println("TEST 1")
        withCredentials([[
            $class: 'VaultTokenCredentialBinding',
            credentialsId: 'approle-cred-here',
            vaultAddr: 'https://my.vault.address.here']]) {
            sh 'vault kv get -field=user v1/ci/kv/my/secret'
        }

        def secrets = [
            [path: 'v1/ci/kv/my/secret', secretValues: [
                [vaultKey: 'description'],
                [vaultKey: 'user']]]
        ]
        withVault([vaultSecrets: secrets]) {
            println("TEST 2")
            sh 'echo ${env.description}'
            sh 'echo ${env.user}'
        }
    }
}

The result is that withCredentials() works correctly, but withVault() does not.

TEST 1
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] sh
+ vault kv get -field=user v1/ci/kv/my/secret
user1
...
Retrieving secret: v1/ci/kv/my/secret
com.datapipe.jenkins.vault.exception.VaultPluginException: Vault credentials not found for 'v1/ci/kv/my/secret'

From a brief look at the source code, it seems the Vault plugin did login correctly but returns this sort of error when there is a 404 error, i.e. no secrets at the given path. But it seems odd that it would run into that issue when the secret path works correctly with at least two other methods:

1. Use vault cli and the rest api via curl to use a role id and secret id to get a token, login using the token, and retrieve the secret
2. Use withCredentials() as outlined in the Pipeline Usage section here to login and retrieve the secret

Do you have any suggestions on what could be the issue? So far I haven't had luck going through the two previous issues raised that have this same error, nor with the majority of other issues raised in case there's something else I missed.

Some things I’ve confirmed or tried:

• Global configuration is correctly inherited
  • Prefix path and engine are used correctly when specified or changed
• Engine version v1 is the one we want.
  • Using v1, it gives the above error where it will attempt to get secret but cannot find anything at the given path.
  • Using v2 (incorrect) returns an access denied error
• Using prefix path v1/ci/kv (and omitting it from the secret path) does not change behavior
• Using namespace v1/ci/kv (and omitting it from the secret path) does not change behavior
• role_id, secret_id, and path in the Jenkins secret are correct (changing any to something else reports a login or token error)
• Tried both standalone Jenkins job, as well as job inside an organization or folder. No observed difference.