I have used an integration with GitLab CI, and all existing works fine. But when I add a new project and want to integrate CI, this error starts occurring:
{"errors":["error validating token: invalid audience (aud) claim: audience claim does not match any expected audience"]}
What we do:
-
Added new kv ‘group’
-
Added new auth role to policies (gitlab-prod):
path "kv/scrapper/* " {
capabilities = ["read" ]
}
- execute command to configure role:
vault write auth/jwt/role/scrapper - <<EOF
{
"role_type": "jwt",
"policies": ["gitlab-prod"],
"token_explicit_max_ttl": 60,
"bound_claims_type": "glob",
"bound_claims": {
"project_id": "***",
"ref": "prod",
"ref_type": "branch"
},
"user_claim": "sub",
"bound_audiences": "https://gitlab.com"
}
EOF
- during CI I want to connect with Vault using this way in bash script:
# Store Vault address, auth role, etc.
VAULT_ADDR="***"
VAULT_AUTH_ROLE="scrapper"
VAULT_SECRETS_PATH="kv/scrapper/data/secrets?version=1"
# path for new keys
# Set Vault Token by Gitlab JWT
VAULT_LOGIN_URL="${VAULT_ADDR}/v1/auth/jwt/login"
VAULT_LOGIN_DATA="{\"role\": \"${VAULT_AUTH_ROLE}\", \"jwt\": \"${CI_JOB_JWT_V2}\"}"
VAULT_LOGIN_OUTPUT=$(curl --request POST --data "${VAULT_LOGIN_DATA}" ${VAULT_LOGIN_URL})
VAULT_TOKEN=$(echo $VAULT_LOGIN_OUTPUT | jq -r ".auth.client_token")
VAULT_TOKEN_HEADER="X-Vault-Token: ${VAULT_TOKEN}"
But the login response gives this error:
{"errors":["error validating token: invalid audience (aud) claim: audience claim does not match any expected audience"]}
Probably there is a issue connected to JWT generated by GitLab runner (CI_JOB_JWT_V2), but our previous integrations work fine and use the same way.
