basicauth/server: Environment variable does not work like described in the readme

[daanpersoons]

Component(s)

extension/basicauth

What happened?

Description

When I try to inject my basic auth password with an env, it does not work.
When I hardcode it, it does work properly.

Works:

extensions:
  basicauth/server:
    htpasswd:
      inline: |
        test:test

Not working:

extensions:
  basicauth/server:
    htpasswd:
      inline: |
        test:${env:BASIC_AUTH_PASSWORD}

Steps to Reproduce

Use the inline htpasswd parameter with an ENV like described in the docs.

extensions:
  basicauth/server:
    htpasswd:
      inline: |
        test:${env:BASIC_AUTH_PASSWORD}

Expected Result

Sending logs, metrics and traces to the collector is succesful

Actual Result

responded with HTTP Status Code 401, Message=invalid credentials

Collector version

latest

Environment information

Environment

OS: Kubernetes
ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest

OpenTelemetry Collector configuration

Receiving collector:
---
receivers:
  otlp:
    protocols:
      http:
        endpoint: 0.0.0.0:4318
        traces_url_path: clusters/${K8S_CLUSTER_NAME}/otlp/v1/traces
        logs_url_path: clusters/${K8S_CLUSTER_NAME}/otlp/v1/logs
        metrics_url_path: clusters/${K8S_CLUSTER_NAME}/otlp/v1/metrics
        auth:
          authenticator: basicauth/server

exporters:
  otlphttp:
    endpoint: http://shared-signoz-otel-collector.shared-signoz.svc.cluster.local:4318/otlp
    auth:
      authenticator: basicauth/client
extensions:
  basicauth/server:
    htpasswd:
      inline: |
        test:${env:BASIC_AUTH_PASSWORD} //ENV is injected BASIC_AUTH_PASSWORD=test
  basicauth/client:
    client_auth:
      username: test
      password: test123
  health_check:
    endpoint: 0.0.0.0:13133

processors:
  attributes:
    actions:
      - key: client.name
        action: insert
        value: ${CLIENT_NAME}
      - key: k8s.cluster.name
        action: insert
        value: ${K8S_CLUSTER_NAME}
  batch:
    send_batch_size: 1000
    timeout: 10s

service:
  extensions:
    - basicauth/client
    - basicauth/server
    - health_check
  pipelines:
    metrics:
      receivers: [otlp]
      processors: [attributes, batch]
      exporters: [otlphttp]
    logs:
      receivers: [otlp]
      processors: [attributes, batch]
      exporters: [otlphttp]
    traces:
      receivers: [otlp]
      processors: [attributes, batch]
      exporters: [otlphttp]



Sending collector:
---
exporters:
  otlphttp:
    endpoint: https://my-domain.com/clusters/k8s-name-intern/otlp
    auth:
      authenticator: basicauth/client
extensions:
  health_check:
    endpoint: 0.0.0.0:13133
  pprof:
    endpoint: localhost:1777
  zpages:
    endpoint: localhost:55679
  basicauth/client:
    client_auth:
      username: test
      password: test
processors:
  batch:
    send_batch_size: 10000
    timeout: 1s
  resourcedetection:
    detectors:
      - env
    override: false
    timeout: 2s
receivers:
  k8s_cluster:
    allocatable_types_to_report:
      - cpu
      - memory
    collection_interval: 30s
    metrics:
      k8s.node.condition:
        enabled: true
      k8s.pod.status_reason:
        enabled: true
    node_conditions_to_report:
      - Ready
      - MemoryPressure
      - DiskPressure
      - PIDPressure
      - NetworkUnavailable
  k8s_events: null
service:
  extensions:
    - health_check
    - zpages
    - pprof
    - basicauth/client
  pipelines:
    logs:
      exporters:
        - otlphttp
      processors:
        - resourcedetection
        - batch
      receivers:
        - k8s_events
    metrics/internal:
      exporters:
        - otlphttp
      processors:
        - resourcedetection
        - batch
      receivers:
        - k8s_cluster
  telemetry:
    logs:
      encoding: json

Log output

Log from sending collector when trying to use ENV variables in the receiving collector.
{"level":"error","ts":"2025-09-02T19:00:55.311Z","caller":"internal/queue_sender.go:52","msg":"Exporting failed. Dropping data.","resource":{"service.instance.id":"a9c7301c-cfb3-4715-869f-3acc6d255966","service.name":"otelcol-contrib","service.version":"0.133.0"},"otelcol.component.id":"otlphttp","otelcol.component.kind":"exporter","otelcol.signal":"metrics","error":"not retryable error: Permanent error: rpc error: code = Unauthenticated desc = error exporting items, request to https://my-domain.com/clusters/k8s-name-intern/otlp/v1/metrics responded with HTTP Status Code 401, Message=invalid credentials, Details=[]","dropped_items":2024,"stacktrace":"go.opentelemetry.io/collector/exporter/exporterhelper/internal.NewQueueSender.func1\n\tgo.opentelemetry.io/collector/exporter@v0.133.0/exporterhelper/internal/queue_sender.go:52\ngo.opentelemetry.io/collector/exporter/exporterhelper/internal/queuebatch.(*disabledBatcher[...]).Consume\n\tgo.opentelemetry.io/collector/exporter@v0.133.0/exporterhelper/internal/queuebatch/disabled_batcher.go:23\ngo.opentelemetry.io/collector/exporter/exporterhelper/internal/queue.(*asyncQueue[...]).Start.func1\n\tgo.opentelemetry.io/collector/exporter@v0.133.0/exporterhelper/internal/queue/async_queue.go:49"}

Additional context

This works just fine when not using the ${env:BASIC_AUTH_PASSWORD}.

Tip

_{React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.}

[github-actions]

Pinging code owners:

• extension/basicauth: @frzifus

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[frzifus]

mh.. Might be an issue with the multi line string. I try to have a look before end of this week.