Vault gitlab jwt invalid issuer

tsiamer · August 3, 2022, 12:57am

Hi all,

vault auth enable jwt

Policy

path “secret/data/db” {
capabilities = [“read”]
}

Role gitlab-runner

{
“role_type”: “jwt”,
“policies”: [“dbserver”],
“token_explicit_max_ttl”: 60,
“user_claim”: “user_email”,
“bound_claims”: {
“project_id”: “2”
}
}

vault write auth/jwt/config
jwks_url=“https://gitlab.example.com/-/jwks”
bound_issuer=“gitlab.example.com”

Pipeline

export VAULT_TOKEN=“$(vault write -field=token auth/jwt/login role=gitlab-runner jwt=$CI_JOB_JWT)”

It keeps failing, Error making API request, Code: 400. Errors invalid issuer.

jeffsanicola · August 3, 2022, 12:11pm

If you’re using GitLab 15 or later you’ll need to use $CI_JOB_JWT_V1 instead of $CI_JOB_JWT.

Also, you’ll need to change the jwks_url and bound_issuer to reflect the URLs of the GitLab instance you’re using, assuming you’re not obfuscating your real URLs in this post.

tsiamer · August 3, 2022, 4:36pm

Thanks working now, had to use https instead of http, those urls are fictitious, still using $CI_JOB_JWT, version 15.xxx

Topic		Replies	Views
Vault & JWT authentication method Vault	3	5866	March 23, 2021
Error connecting with Gitlab via JWT Vault	0	387	March 14, 2024
Jwt authentication from gitlab returns needs assitance to understand bound_audiences parameter Vault k8s , vault	5	7257	February 1, 2022
Vault & GitLab CI integration using JWT Vault vault	2	343	February 24, 2024
GitLab + JWT + Vault + AD Group Vault	5	1252	May 31, 2022

Vault gitlab jwt invalid issuer

Role gitlab-runner

Related topics