Skip to main content

Remote Executor Secret Injection Failure

Angelo Bresci
Updated

Area: Deployment Issues

Sub-Area: Managed Ingestion Remote Executors

Issue

Secret environment variables referenced in ingestion recipes using ${SECRET_NAME} syntax are not being injected properly on remote executors, causing ingestion runs to fail with authentication errors. The executor logs show "Warning: No secret names provided via DATAHUB_SECRET_NAMES" indicating that the secret substitution process is not receiving the required secret references.

Error Messages

  • Warning: No secret names provided via DATAHUB_SECRET_NAMES
  • Authentication failures from source systems when secrets are not substituted

You Might Be Asking

  • Why are my managed secrets not working in remote executor ingestion runs?
  • Do I need to configure secrets separately for each executor pool?
  • Why does my ingestion work when I paste the secret value directly but fail with variable substitution?

Solution

This issue is typically caused by older secrets that were created before certain security updates in DataHub Cloud. The resolution is to create new secrets with the same values:

  1. Navigate to Settings > Secrets in your DataHub instance
  2. Create a new secret with a different name but the same value as your existing secret: 
    New Secret Name: __NEW
Secret Value: [same value as original secret]
  3. Update your ingestion recipe to reference the new secret name: 
    token_value: '${__NEW}'
  4. Run your ingestion to verify the secret is now being injected properly
  5. Once confirmed working, you can delete the old secret and optionally rename the new one

For troubleshooting secret injection issues:

  • Check the executor logs for the "DATAHUB_SECRET_NAMES" warning message
  • Verify that your secret name in the recipe exactly matches the stored secret name
  • Test with a temporary new secret to isolate the issue

Additional Notes

This issue primarily affects secrets created before October 2023 due to security improvements made to the secret management system. UI-managed secrets should automatically propagate to all remote executor pools without additional configuration. If creating new secrets does not resolve the issue, contact DataHub Support as this may indicate a backend configuration problem with your executor pool.

Related Documentation

Tags: remote-executor, secrets, ingestion, managed-datahub, authentication, environment-variables, secret-injection, deployment, executor-pool, troubleshooting