Hi all,
in GItLab 17 we have a problem in the connection to Hashicorp Vault.
I created a simple env to replicate my problem.
gitlab-ci.yml:
stages:
- deploy
deploy:dev:
stage: deploy
environment:
name: dev
image: registry.gitlab.com/bootloader-vc/monetum-pay/cloud-ci-docker-image
variables:
CI_DEBUG_TRACE_UNMASK: "true"
id_tokens:
VAULT_ID_TOKEN:
aud: https://gitlab.com
before_script:
- chmod +x ci-cd/*.sh
script:
- source ci-cd/vault-secrets-inject.sh
- echo $TEST_VAR
# - ci-cd/deploy.sh
only:
- /^\d+\.\d+\.\d+-dev$/
except:
- branches
vault-secrets-inject.sh:
#!/bin/bash
set -o errexit
set -o pipefail
TRACE=1
export VAULT_TOKEN=$VAULT_ID_TOKEN
echo "user: $(vault kv get -field="user" secret/ci/radix-ping/dev/db/backoffice-user/)"
i created a role with:
vault write auth/jwt_v2/role/ci-radix-ping-dev - <<EOF
{
"role_type": "jwt",
"policies": ["ci-radix-ping-dev"],
"token_explicit_max_ttl": 60,
"user_claim": "user_email",
"bound_audiences": ["https://devops-vault.prod.paytah.net"],
"bound_claims": {
"iss": [
"https://gitlab.com",
"gitlab.com"
],
"project_id": "50555001"
}
}
EOF
and the attached policy is:
path "secret/ci/data/radix-ping/dev/*" {
capabilities = [ "read" ]
}
CICD variables:
VAULT_AUTH_PATH: jwt_v2
VAULT_AUTH_ROLE: auth/jwt_v2/role/ci-radix-ping-dev
VAULT_SERVER_URL: https://devops-vault.prod.paytah.net:8200
The problem is that I can’t get the VAULT_ID_TOKEN but if i add
export VAULT_TOKEN=“hardcoded-token” it works (hardcoding a token retrieved from my vaul web ui with copy token function once logged in).
What i’m missing?
Thank you 