Improve secrets providers error messages handling

[olljanat]

Nomad version

Nomad v1.11.1
BuildDate 2025-12-09T20:10:56Z
Revision 5b76eb0535615e32faf4daee479f7155ea16ec0d

Issue

There seems to be room for improve error messages coming from secrets providers handling.

1. When referring secret like this:

secret "my_secret" {
  provider = "custom-provider"
  path     = "path/to/secret"
}

and plugin returns error it will be visible as:

secrets: failed to fetch secret from plugin my_secret: exit status 1

which is confusing because my_secret is name of the secret, not name of the provider.
Error message like: failed to fetch secret my_secret from plugin custom-provider would make more sense.

2. provider author guide contains example function:

func returnErr(err string) {
    fmt.Printf(`{"error": "%s"}`, err)
    os.Exit(1)
}

but error handling logic

nomad/client/allocrunner/taskrunner/secrets/plugin_provider.go

Lines 38 to 44 in 5b76eb0

	resp, err := p.plugin.Fetch(ctx, p.path)
	if err != nil {
	return nil, fmt.Errorf("failed to fetch secret from plugin %s: %w", p.name, err)
	}
	if resp.Error != nil {
	return nil, fmt.Errorf("error returned from secret plugin %s: %s", p.name, *resp.Error)
	}

will not print those error messages unless exit code from plugin is zero.

[jrasell]

Hi @olljanat and thanks for raising this issue. I agree this looks like an area that we can improve, so I'll get this added to our backlog.