Problem
The SECRET[<backend name>.<secret name>] collector regex only allows word characters (letters, digits, _) in the backend name portion. A backend named with a hyphen (a valid component ID otherwise) is never matched, so any SECRET[...] reference to it is left in the configuration as a literal, unresolved string instead of failing with a clear error.
This is different from #23220 / #15796, which were about hyphens in the secret name portion (already fixed by #23465 — the second regex group allows -). The backend name (first) group still doesn't.
Configuration
secret:
my-backend:
type: "file"
path: "/tmp/secrets.json"
sources:
in:
type: "demo_logs"
format: "json"
sinks:
out:
type: "console"
inputs: ["in"]
encoding:
codec: "json"
healthcheck:
auth:
strategy: "basic"
user: "someuser"
password: "SECRET[my-backend.password]"
data_dir: "/tmp/data_dir"
with /tmp/secrets.json containing {"password":"hunter2"}.
Version
vector 0.57.0 (aarch64-apple-darwin 8832452 2026-07-14 20:58:30.491174540)
Debug Output
2026-07-15T19:58:10.841817Z INFO vector::app: Log level is enabled. level="info"
2026-07-15T19:58:10.842199Z INFO vector::app: Loading configs. paths=["/tmp/hyphen-backend.yaml"]
2026-07-15T19:58:11.043071Z INFO vector::topology::running: Running healthchecks.
2026-07-15T19:58:11.043151Z INFO vector::topology::builder: Healthcheck passed.
2026-07-15T19:58:11.043170Z INFO vector: Vector has started. ...
No secret-resolution error is logged and the healthcheck passes, meaning the literal string SECRET[my-backend.password] was used as the password instead of failing config load with a resolution error.
For contrast, a config with a valid backend name (my_backend) but a secret key that doesn't exist fails as expected:
2026-07-15T19:58:20.749897Z ERROR vector::cli: Configuration error. error=Error while retrieving secret from backend "my_backend": secret for key 'nonexistent_secret' was not retrieved.
Additional Context
The regex is defined in src/config/loading/secret.rs:
pub static COLLECTOR: LazyLock<Regex> =
LazyLock::new(|| Regex::new(r"SECRET\[([[:word:]]+)\.([[:word:].\-/]+)\]").unwrap());
The first capture group (backend name) is [[:word:]]+, which excludes -. The second capture group (secret name) already includes - (fixed by #23465).
References
Problem
The
SECRET[<backend name>.<secret name>]collector regex only allows word characters (letters, digits,_) in the backend name portion. A backend named with a hyphen (a valid component ID otherwise) is never matched, so anySECRET[...]reference to it is left in the configuration as a literal, unresolved string instead of failing with a clear error.This is different from #23220 / #15796, which were about hyphens in the secret name portion (already fixed by #23465 — the second regex group allows
-). The backend name (first) group still doesn't.Configuration
with
/tmp/secrets.jsoncontaining{"password":"hunter2"}.Version
vector 0.57.0 (aarch64-apple-darwin 8832452 2026-07-14 20:58:30.491174540)
Debug Output
No secret-resolution error is logged and the healthcheck passes, meaning the literal string
SECRET[my-backend.password]was used as the password instead of failing config load with a resolution error.For contrast, a config with a valid backend name (
my_backend) but a secret key that doesn't exist fails as expected:Additional Context
The regex is defined in
src/config/loading/secret.rs:The first capture group (backend name) is
[[:word:]]+, which excludes-. The second capture group (secret name) already includes-(fixed by #23465).References