From b4ebcdd4173c73b6cdfa26f69279651aa7cfbe60 Mon Sep 17 00:00:00 2001
From: Michael Li <michael.li@hashicorp.com>
Date: Wed, 21 Jan 2026 17:44:39 -0500
Subject: [PATCH] test(e2e): Address issue when password starts with @

(cherry picked from commit 00e6359b59d798dd988445f92e49f4fa8409b2b8)
---
 testing/internal/e2e/vault/vault.go | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/testing/internal/e2e/vault/vault.go b/testing/internal/e2e/vault/vault.go
index 4284494337..87b12a75bc 100644
--- a/testing/internal/e2e/vault/vault.go
+++ b/testing/internal/e2e/vault/vault.go
@@ -294,14 +294,17 @@ func CreateKvPasswordCredential(t testing.TB, secretPath string, user string, pr
 		require.NoError(t, err)
 	}
 
+	// Escape '@' in the password. Vault CLI interprets '@' as a file
+	escapedPassword := strings.ReplaceAll(password, "@", "\\@")
+
 	// Create secret
 	output := e2e.RunCommand(context.Background(), "vault",
 		e2e.WithArgs(
 			"kv", "put",
 			"-mount", secretPath,
 			secretName,
-			"username="+user,
-			"password="+password,
+			fmt.Sprintf("username=%s", user),
+			fmt.Sprintf("password=%s", escapedPassword),
 		),
 	)
 	require.NoError(t, output.Err, string(output.Stderr))
@@ -338,15 +341,18 @@ func CreateKvPasswordDomainCredential(t testing.TB, secretPath string, user stri
 		require.NoError(t, err)
 	}
 
+	// Escape '@' in the password. Vault CLI interprets '@' as a file
+	escapedPassword := strings.ReplaceAll(password, "@", "\\@")
+
 	// Create secret
 	output := e2e.RunCommand(context.Background(), "vault",
 		e2e.WithArgs(
 			"kv", "put",
 			"-mount", secretPath,
 			secretName,
-			"username="+user,
-			"password="+password,
-			"domain="+domain,
+			fmt.Sprintf("username=%s", user),
+			fmt.Sprintf("password=%s", escapedPassword),
+			fmt.Sprintf("domain=%s", domain),
 		),
 	)
 	require.NoError(t, output.Err, string(output.Stderr))