Getting Access Denied while cloning private GitLab repo in jenkins pipeline using vault secret

I have stored PAT in vault and trying to clone a gitlab private repo with this credential but getting access denied error. I’m able to clone the same repo by providing hardcoded value of username and PAT in clone command. Below is my pipline snippet:

stage (‘Read Secrets From Vault’) {
steps {
withVault(configuration: [
vaultCredentialId: “vault-token”,
vaultUrl: “https://my-vault.com”],
vaultSecrets: [
[
path: “gitlab/credentials”,
engineVersion: 1,
secretValues: [
[envVar: “uname”, vaultKey: “usr”],
[envVar: “pat”, vaultKey: “pat”]
]
]])
{
sh “”"
echo ${uname} > username.txt

        echo ${pat} > token.txt
        sleep 60
        """
  }

}
}

stage('Checkout') {
        steps {
            script{
                 sh '''
                    git clone https://${uname}:${pat}@gitlab-repo.git 
                    '''
            }
        }
    }

Even I can see username and token in above mentioned respective txt files.

Could someone please help me understand why this is happening? Any insights or recommendations on how to prevent this issue in the future would be greatly appreciated.

Thank you!

The issue might be related to how the environment variables are being used in the git clone command.
When using environment variables in a shell script, you need to ensure they are properly referenced.
Additionally, it’s a good practice to use single quotes around the URL to prevent any special characters in the PAT from being misinterpreted by the shell.

Here’s a revised, but untested, version of your pipeline snippet:

pipeline {
    agent any
    stages {
        stage('Read Secrets From Vault') {
            steps {
                withVault(configuration: [
                    vaultCredentialId: 'vault-token',
                    vaultUrl: 'https://my-vault.com'],
                    vaultSecrets: [
                        [
                            path: 'gitlab/credentials',
                            engineVersion: 1,
                            secretValues: [
                                [envVar: 'uname', vaultKey: 'usr'],
                                [envVar: 'pat', vaultKey: 'pat']
                            ]
                        ]
                    ]
                ) {
                    sh '''
                        echo ${uname} > username.txt
                        echo ${pat} > token.txt
                        sleep 60
                    '''
                }
            }
        }
        stage('Checkout') {
            steps {
                script {
                    sh '''
                        git clone https://${uname}:${pat}@gitlab-repo.git
                    '''
                }
            }
        }
    }
}

@poddingue using single quotes It’s working. Thank you so much!!