Jwt authentication from gitlab returns needs assitance to understand bound_audiences parameter

Dear Vault community,

I have a local gitlab (mygitlab.local) and vault (myvault.local) community/free instances. I have followed the gitlab documentation to enable jwt authentication method. Also, I have created my test secrets and my role (see below). I am currently facing an issue where my gitlab runner can’t authenticate against vault. Error message says:

* error validating claims: aud claim does not match any bound audience

This is my role:

vault write auth/jwt/role/my-role -<<EOF
{
  "role_type": "jwt",
  "policies": "my-policy",
  "token_explicit_max_ttl": 60,
  "user_claim": "myuser",
  "bound_audiences": ["myvault.local", "mygitlab.local", "https://myvault.local", "https://mygitlab.local"],
  "bound_claims": {
    "project_id": "1158",
    "ref_protected": "true",
    "ref_type": "branch"
  }
}
EOF

Which value should I put in bound_audiences?

thank you very much

Despite what the Vault API docs say I don’t think the bound_audiences value is required here.

Try omitting and see if it works.

still getting same error if bound_audiences is removed from the role

When you configured the auth method did you use the following command?

vault write auth/jwt/config \
    jwks_url="https://mygitlab.local/-/jwks" \
    bound_issuer="mygitlab.local"

Also, I just realized your user_claim may be invalid. That should be a field name found in the JWT payload. Usually user_id, user_login, user_email, project_name, or namespace_name (something that stays consistent over pipeline runs).

If you don’t have a bound_audiences you may need to specify a groups_claim instead (I’m not sure of this, just inferring based on the configs in my setup). I typically use project_path or namespace_path for these depending on the need.