Issues with JWT auth

pauljhoyland · November 29, 2023, 1:22pm

I’m trying to understand JWT auth and have set up a dev version of vault but I’m getting a “permission denied” error. I’ve double checked everything but can’t see anything wrong.

This is the policy:-

$ vault policy read test-policy
path "kv/my-secret" {
  capabilities = [ "read" ]
}

This is the role i’ve created:-

$ vault read auth/jwt/role/test-role
Key                        Value
---                        -----
allowed_redirect_uris      <nil>
bound_audiences            <nil>
bound_claims               map[branch:main service_name:study]
bound_claims_type          string
bound_subject              n/a
claim_mappings             map[]
clock_skew_leeway          0
expiration_leeway          0
groups_claim               n/a
max_age                    0
not_before_leeway          0
oidc_scopes                <nil>
policies                   [test-policy]
role_type                  jwt
token_bound_cidrs          []
token_explicit_max_ttl     30s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [test-policy]
token_ttl                  0s
token_type                 default
user_claim                 sub
user_claim_json_pointer    false
verbose_oidc_logging       false

and this is the encoded payload in the JWT:-

{
  "iss": "myprovider.com",
  "sub": "sub",
  "aud": "audrey",
  "iat": 1701257192,
  "exp": 1701257792,
  "service_name": "study",
  "branch": "main"
}

and I’ve verified the public key is correct in the vault.

This was the cli request I made (I’ve ommited the token here):-

 vault write auth/jwt/login role=test-role jwt=

This was the response I got back from the auth request:-

ARNING! The following warnings were returned from Vault:

  * TTL of "768h" exceeded the effective max_ttl of "30s"; TTL value is capped
  accordingly

Key                  Value
---                  -----
token                hvs.CAESIHpVgoK-hWbDzC2NExNbjiH3qMpsYsuGqRW646Kl5cGcGh4KHGh2cy5EUExwMWNvQVFuaTB0TEpuY2JYUnpvOG4
token_accessor       7KIqnmX2peNF0D3tNxPPW87V
token_duration       30s
token_renewable      true
token_policies       ["default" "test-policy"]
identity_policies    []
policies             ["default" "test-policy"]
token_meta_role      test-role

I then exported the token:-

export VAULT_TOKEN="hvs.CAESIFDESLMOEh_cheL7ruKIz2lcqpDMN5P4xdVyxK-eXg7DGh4KHGh2cy5jOGh3WnhZb2tjTzlaVm5TeUhwYVRFN0Q"

then tried to get the creds:-

vault kv get kv/my-secret

but get the following back:-

Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/kv/my-secret
Code: 403. Errors:

* permission denied

Any ideas where I might be going wrong?

Topic		Replies	Views
Getting "permission denied" for operations using a token created based on role with "token_policies": ["default"] Vault vault	1	247	April 24, 2024
Integrating Vault and Keycloak - JWT Vault	0	3563	August 12, 2019
Failing to create a policy using JWT claims Vault	1	859	December 5, 2021
Jwt authentication from gitlab returns needs assitance to understand bound_audiences parameter Vault k8s , vault	5	7257	February 1, 2022
Vault token create -policy=my-policy permission denied to policy Vault vault	2	110	April 3, 2024

Issues with JWT auth

Related topics