I am trying to use a Gitlab CI/CD pipeline with a HashiCorp Vault to read out a secret stored in the Vault. I am trying to follow the guide here, Using external secrets in CI | GitLab, but I keep getting the error: ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: authenticating Vault client: writing to Vault: api error: status code 400: error validating token: invalid issuer (iss) claim
My HashiCorp Vault is running locally on the same Linux machine running the pipeline.
A screen shot of my .gitlab-ci.yml is shown below.
I have setup a VAULT_SERVER_URL to be 127.0.0.1:8200 in Gitlab.
I have set a VAULT_AUTH_ROLE in Gitlab to “myproject-production”. The guide says it is optional, but I got an error saying there was no role defined until I created a role.
I have run the following commands in the cli of the vault server:
vault auth enable jwt
vault write auth/jwt/config
jwks_url=“https://gitlab..com/-/jwks”
bound_issuer=“gitlab..com”
vault policy write myproject-production - <<EOF
path “secret/data/g4_priv_key/*” {
capabilities = [ “read”, “list” ]
}
EOF
vault write auth/jwt/role/myproject-production - <<EOF
{
“role_type”: “jwt”,
“policies”: [“myproject-production”],
“token_explicit_max_ttl”: 60,
“user_claim”: “user_email”,
“bound_claims_type”: “glob”,
“bound_claims”: {
“project_id”: "6012 ",
“ref_type”: “tag”,
“ref”: “5312_secure_key_from_vault”
}
}
EOF
Any help is greatly appreciated,
Brent