Problem
When using a custom plugin to perform a read or write action, the error message "route entry is tainted" is observed. A sample operation with the error can be found below:
$ vault write -f vault-custom-plugin/members/member
Error writing data to vault-custom-plugin/members/member: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/vault-custom-plugin/members/member (https://127.0.0.1:8200/v1/vault-custom-plugin/members/member )
Code: 404. Errors:
* no handler for route "vault-custom-plugin/members/member". route entry is tainted
Prerequisites
- Vault running with Vault Custom Plugin
Cause
There could be multiple causes for this issue. Below are some common causes:
- The mount points were registered for a different namespace.
- The removal of a tainted mount point has failed previously due to a known bug that was addressed in Vault 1.11.0.
- The removal of a mount point has failed previously due to timeouts.
Solutions:
- In regard to the mount points, please check and ensure that the correct mount is being called by running
vault read sys/mounts. This will output the path of the mount point. -
There was a known bug which was addressed in Vault 1.11.0 where the error
failed to taint entry in mounts tablecan occur during the removal of a tainted mount point. To address this issue, please enable the plugin under a different path and plan to upgrade Vault to 1.11.0+ then remove the tainted mount point again. - In certain situations, a previous removal of mount point can fail due to timeout, as describe in this github issue. In this case, you can either try removing the mount point with longer timeout settings through default_max_request_duration and VAULT_CLIENT_TIMEOUT and try re-mounting it again, or mount it under a different path.
Additional Information
Please read the Github Issues as presented to learn more about a failed removal mount:
https://github.com/hashicorp/vault/issues/12228
https://github.com/hashicorp/vault/pull/15067