Hi all,

vault auth enable jwt

Policy

path “secret/data/db” {
capabilities = [“read”]
}

Role gitlab-runner

{
“role_type”: “jwt”,
“policies”: [“dbserver”],
“token_explicit_max_ttl”: 60,
“user_claim”: “user_email”,
“bound_claims”: {
“project_id”: “2”
}
}

vault write auth/jwt/config
jwks_url=“https://gitlab.example.com/-/jwks”
bound_issuer=“gitlab.example.com”

Pipeline

export VAULT_TOKEN=“$(vault write -field=token auth/jwt/login role=gitlab-runner jwt=$CI_JOB_JWT)”

It keeps failing, Error making API request, Code: 400. Errors invalid issuer.

If you’re using GitLab 15 or later you’ll need to use $CI_JOB_JWT_V1 instead of $CI_JOB_JWT.

Also, you’ll need to change the jwks_url and bound_issuer to reflect the URLs of the GitLab instance you’re using, assuming you’re not obfuscating your real URLs in this post.

Thanks working now, had to use https instead of http, those urls are fictitious, still using $CI_JOB_JWT, version 15.xxx