"audience claim found in JWT but no audiences bound to the role"

ricardolopes86 · November 4, 2024, 3:31pm

Although I get this error, I don’t get it because my bound_audiences is set:

resource "vault_policy" "team-policy" {
  name = "team-pipeline"

  policy = <<EOT
path "team-name/*" {
  capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
EOT
}

resource "vault_jwt_auth_backend_role" "gitlab_pipeline" {
  backend           = "gitlab" # already configured as gitlab jwt pipeline
  role_type         = "jwt"
  role_name         = "team-role"
  token_policies    = ["team-pipeline"]
  bound_audiences   = ["https://gitlab-prod.<mycompany>.com"]
  user_claim        = "user_email"
  bound_claims_type = "glob"
  token_ttl         = 600 # 
  bound_claims = {
    project_path = "team-name/gitlab-project"
  }
}

Can’t understand what’s happening here. The error I see is:


│ Error: Error making API request.
│ 
│ URL: PUT https://vault-prod.<mycompany>.com/v1/auth/jwt/login
│ Code: 400. Errors:
│ 
│ * audience claim found in JWT but no audiences bound to the role
│ 
│   with vault_policy.esw_vdi_mgmt,
│   on team-pipeline.tf line 1, in resource "vault_policy" "team_policy":
│    1: resource "vault_policy" "team_policy" {
│ 
╵
╷
│ Error: Error making API request.
│ 
│ URL: PUT https://vault-prod.<mycompany>.com/v1/auth/jwt/login
│ Code: 400. Errors:
│ 
│ * audience claim found in JWT but no audiences bound to the role
│ 
│   with vault_jwt_auth_backend_role.gitlab_pipeline,
│   on team-pipeline.tf line 11, in resource "vault_jwt_auth_backend_role" "gitlab_pipeline":
│   11: resource "vault_jwt_auth_backend_role" "gitlab_pipeline" {
│

vincent31337 · November 10, 2024, 10:36pm

Getting this exact issue after upgrading Vault from 1.16.2 to 1.18.1. No other changes and was working before upgrade.

This is NOT a Terraform-specific issue. Simply CURLing the JWT auth/login endpoint and POSTing a JWT/role fails with the error.

EDIT:

Changing from:

  bound_claims = {
    aud          = "https://vault.<company>.com"
    project_path = "foo"
  }

To:

  bound_audiences = [
    "https://vault.<company>.com"
  ]
  bound_claims = {
    project_path = "foo"
  }

…fixed it for me.

Topic		Replies	Views
Jwt authentication from gitlab returns needs assitance to understand bound_audiences parameter Vault k8s , vault	5	7257	February 1, 2022
Vault & GitLab CI integration using JWT Vault vault	2	343	February 24, 2024
Issues with JWT auth Vault	0	280	November 29, 2023
GitLab + JWT + Vault + AD Group Vault	5	1252	May 31, 2022
Kubernetes OIDC auth fails: audience claim does not match any expected audience Vault k8s	1	2357	June 20, 2022

"audience claim found in JWT but no audiences bound to the role"

Related topics