Accessing Hashicorp Vault external secret

Can’t read secrets from Hashicorp Vault

I followed the documentation:

• Using external secrets in CI | GitLab

• Authenticating and reading secrets with HashiCorp Vault

• I can’t access the secret but I don’t get any Error. So I don’t know where to start

• I use GitLab.com

• Self manage Runner (with docker)

• Hashicorp Vault in self managed Docker

• CI configuration from .gitlab-ci.yml

…
Reading the Secrets From the Vault Server:
stage: build
image: vault:1.13.3
id_tokens:
VAULT_ID_TOKEN:
aud: https://gitlab.com
secrets:
LOCALADMIN_PASSWORD:
vault: Homenetwork/Server/Linux/Local/password@kv-v2 # translates to secret kv-v2/Homenetwork/Server/Linux/Local, field password
file: false
token: $VAULT_ID_TOKEN
script:
- echo “Reading localadmin Password from Hashicorp Vault”
- echo $LOCALADMIN_PASSWORD
only:
- main
…

• $VAULT_SERVER_URL is correct
• $VAULT_AUTH_ROLE is correct (localinstallation)
• $VAULT_AUTH_PATH is correct (jwt)

• My Vault configuration:

/ # vault list auth/jwt/role
Keys
localinstallation

/# vault read auth/jwt/role/localinstallation
Key Value
allowed_redirect_uris
bound_audiences
bound_claims map[project_id:52099128]
bound_claims_type glob
bound_subject n/a
claim_mappings
clock_skew_leeway 0
expiration_leeway 0
groups_claim n/a
max_age 0
not_before_leeway 0
oidc_scopes
policies [localinstallation]
role_type jwt
token_bound_cidrs
token_explicit_max_ttl 1m
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [localinstallation]
token_ttl 0s
token_type default
user_claim user_login
user_claim_json_pointer false
verbose_oidc_logging false

/ # vault read auth/jwt/config
Key Value
bound_issuer https://gitlab.com
default_role n/a
jwks_ca_pem n/a
jwks_url n/a
jwt_supported_algs
jwt_validation_pubkeys
namespace_in_state true
oidc_client_id n/a
oidc_discovery_ca_pem n/a
oidc_discovery_url https://gitlab.com
oidc_response_mode n/a
oidc_response_types
provider_config map

/ # vault policy read localinstallation
-# Allow read local credentials for Linux
path “kv-v2/Homenetwork/Server/Linux/Local/*” {
capabilities = [ “read” ]
}

-# Allow read local credentials for Windows
path “kv-v2/Homenetwork/Server/Windows/Local/*” {
capabilities = [ “read” ]
}

/ # vault kv get --field=password kv-v2/Homenetwork/Server/Linux/Local
Passw0rd

• I tried to change the jwt configuration from oidc_discovery_url to jwks_url, but nothing changed
• I decrypted the VAULT_ID_TOKEN to check the bound_claims
• I disabled SSL on the Vault to avoice certificate issues
  But I don’t get any error or log entry. And I can’t figure out what is wrong.
  Thanks a lot for any Help.