Jwt authentication from gitlab returns needs assitance to understand bound_audiences parameter

masber · October 21, 2021, 4:09pm

Dear Gitlab,

I have a local gitlab (mygitlab.local) and vault (myvault.local) community/free instances. I have followed the gitlab documentation to enable jwt authentication method. Also, I have created my test secrets and my role (see below). I am currently facing an issue where my gitlab runner can’t authenticate against vault. Error message says:

* error validating claims: aud claim does not match any bound audience

This is my role:

vault write auth/jwt/role/my-role -<<EOF
{
  "role_type": "jwt",
  "policies": "my-policy",
  "token_explicit_max_ttl": 60,
  "user_claim": "myuser",
  "bound_audiences": ["myvault.local", "mygitlab.local", "https://myvault.local", "https://mygitlab.local"],
  "bound_claims": {
    "project_id": "1158",
    "ref_protected": "true",
    "ref_type": "branch"
  }
}
EOF

Which value should I put in bound_audiences?

thank you very much

iwalker · October 21, 2021, 5:15pm

Hi,

Maybe this link will help: Vault Authentication with GitLab OpenID Connect | GitLab

The bound_audience has to be I think the client_id generated in Gitlab. So in points 3 and 4 you use the client_id and secret. I know it’s for openId, but perhaps for JWT it will be similar, in that a client id is required, rather than the url’s or hostnames being put?

EDIT: maybe this is more to the point: JWT OmniAuth provider | GitLab