Reputation: 349
GitLab CI can't access Vault
GitLab Community Edition 14.2.7
curl -s -k -X GET https://gitlab.domain.com/-/jwks
{"keys":[{"kty":"RSA","kid":"xUeI9jobL................194Xg0gj5DSct8O__KR6I8RoTTBACp1lRYSlBO4w","use":"sig","alg":"RS256"}]}
In Vault:
Created a secret:
vault kv put secret/projects/test/mariadb login=user password=pass
Created a policy:
vault policy write project-test - <<EOF
path "secret/projects/test/*" {
capabilities = [ "read" ]
}
EOF
And created a JWT role:
vault write auth/jwt/role/project-test - <<EOF
{
"role_type": "jwt",
"policies": ["project-test"],
"token_explicit_max_ttl": 60,
"user_claim": "[email protected]",
"bound_claims": {
"project_id": "321",
"ref": "main",
"ref_type": "branch"
}
}
EOF
vault write auth/jwt/config jwks_url="https://gitlab.domain.com/-/jwks" bound_issuer="gitlab.domain.com"
project_id is correct, main branch.
In GitLab CI:
stages:
- test_vault
test:
stage: test_vault
script:
- echo $CI_COMMIT_REF_NAME
- export VAULT_ADDR=https://k8s.domain.com:8700
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=project-test jwt=$CI_JOB_JWT)"
- export LOGIN="$(vault kv get -field=login secret/projects/test/mariadb)"
- export PASSWORD="$(vault kv get -field=password secret/projects/test/mariadb)"
- echo $LOGIN
- echo $PASSWORD
At the output, I get 403 everywhere. Where does it not give access? The Vault logs are silent.
$ export VAULT_ADDR=https://k8s.domain.com:8700
$ export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=project-test jwt=$CI_JOB_JWT)"
Error writing data to auth/jwt/login: Error making API request.
URL: PUT https://k8s.domain.com:8700/v1/auth/jwt/login
Code: 400. Errors:
* claim "[email protected]" not found in token
I see that it swears at claim "[email protected]" not found in token, but it's not clear where to get the correct user_claim?
Upvotes: 1
Views: 1971
Answers (1)
Reputation: 28739
The authorization policy for the GitlabCI role with JWT/OIDC authentication is slightly wrong. It appears that you replaced the user_email with a literal email address. That value was not a placeholder, but rather an instruction for Vault to associate the token with the associated email of the user triggering the authentication:
{
"role_type": "jwt",
"policies": ["project-test"],
"token_explicit_max_ttl": 60,
"user_claim": "user_email",
"bound_claims": {
"project_id": "321",
"ref": "main",
"ref_type": "branch"
}
}
There may be another issue after this one, but the rest of your configuration LGTM, and this will move you past your current blocker.
Upvotes: 4
Related Questions
- HashiCorp Vault Error 403 Permission denied
- Vault integration with gitlab and define in gitlab-ci.yaml
- Hashicorp Vault Required Provider Configuration in Terraform
- Hashicorp Vault reading creds - failed to find entry for connection with name: db_name
- Can't connect to Vault web ui
- Gitlab integration with Hashicorp Vault
- What is the best way to use Hashicorp Vault with GitLab pipelines?
- Hashicorp Vault - read failed: decryption failed: cipher: message authentication failed
- Kubernetes to Vault Authentication Failure
- Vault failed to connect timeout