How to unmask CI_JOB_JWT?

Dear Gitlab community,

I have a local free community gitlab instance and I am trying to integrate it with my vault server to read secrets. I use jwt authentication method for this and I am getting a permission denied when trying to authenticate.

vault write -field=token auth/jwt/login role=my-role jwt=$CI_JOB_JWT

I would like to troubleshoot this but for this I need to be able to read the masked value of CI_JOB_JWT

How can I show masked values in the jobs logs web interface?

thank you

    - JQ=./jq #the latest not the official (1.5 does not support @base64d)
    - curl -sLo jq > $JQ && chmod +x $JQ
    - ./jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "$CI_JOB_JWT"

Hey Mate,
did you find a solution? i have a similar problem, i try everything but get a missing token. and i was wondering if you might have found a solution.

cheers Tobeje


You can use echo $CI_JOB_JWT | base64. Instead of [MASKED] it will return your jwt token encoded with base64. To read it: first decode base64, then decode RS256.

Don’t use it in prod environments :slight_smile: