Jwt authentication from gitlab returns needs assitance to understand bound_audiences parameter

Vault
,
1

Dear Vault community,

I have a local gitlab (mygitlab.local) and vault (myvault.local) community/free instances. I have followed the gitlab documentation to enable jwt authentication method. Also, I have created my test secrets and my role (see below). I am currently facing an issue where my gitlab runner can’t authenticate against vault. Error message says:

* error validating claims: aud claim does not match any bound audience

This is my role:

vault write auth/jwt/role/my-role -<<EOF
{
  "role_type": "jwt",
  "policies": "my-policy",
  "token_explicit_max_ttl": 60,
  "user_claim": "myuser",
  "bound_audiences": ["myvault.local", "mygitlab.local", "https://myvault.local", "https://mygitlab.local"],
  "bound_claims": {
    "project_id": "1158",
    "ref_protected": "true",
    "ref_type": "branch"
  }
}
EOF

Which value should I put in bound_audiences?

thank you very much

1 Like
2

Despite what the Vault API docs say I don’t think the bound_audiences value is required here.

Try omitting and see if it works.

3

still getting same error if bound_audiences is removed from the role

4

When you configured the auth method did you use the following command?

vault write auth/jwt/config \
    jwks_url="https://mygitlab.local/-/jwks" \
    bound_issuer="mygitlab.local"

Also, I just realized your user_claim may be invalid. That should be a field name found in the JWT payload. Usually user_id, user_login, user_email, project_name, or namespace_name (something that stays consistent over pipeline runs).

If you don’t have a bound_audiences you may need to specify a groups_claim instead (I’m not sure of this, just inferring based on the configs in my setup). I typically use project_path or namespace_path for these depending on the need.

5

I came here from the aud claims error. I am terraforming our Vault and indeed you must set a bound_audiences.

However, instead of not setting it, I set it to an empty set (:dizzy: ) :

resource "vault_jwt_auth_backend_role" "infrastructure_runners" {
  .
  .
  bound_audiences =  []
}

Terraform was happy and the audience JWT error has gone away.

6

BTW - It turns out (as of the time of writing) that the aud field is not set in the GitLab JWT
In my vast ignorance of how JWT actually works, I presume that this is why if you set anything in bound_audiences, the claim validation error happens.

There was a feature request for this: