Vault gitlab 17.x ce and jwt

Hello,

Has you now support for CI JWT variable has been remove … and i cannot manage to make the ID_TOKEN work,

here what i have in my gitlab (for the deployment )


deploy-sb:
  variables:
    VAULT_SERVER_URL: https://vault.coredmp.net
    VAULT_AUTH_PATH: jwt
    VAULT_AUTH_ROLE: reflexogest_front_elisa_dep_sandbox
    VAULT_NAMESPACE: ""
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.coredmp.net

  script:
    - env
    - TAG=v$(cat VERSION)
    - echo "$VAULT_ID_TOKEN" > vault_token
    - /bin/sh scripts/deploy_env.sh "reflexogest_front_elisa" "ovh-01.coredmp.net" "/home/reflexogest_front_elisa_sandbox" "sandbox" $TAG
  environment:
    name: sandbox
    url: https://sanbox.reflexo-elizen.fr
    on_stop: stop-sb
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: always
  artifacts:
    paths:
      - vault_token
    when: always
    expire_in: "30 days"

The congiruation of the Vault seems ok as i can get my secret using a generated token.

My problem is that i get this inside “vault_token” artefact :slight_smile:

eyJraWQiOiItOTljbUtPUzV6LWVsMURfRFNpbXFCRDJmQXZwLWZaX1VrcVJ5UnZ1WC1FIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJuYW1lc3BhY2VfaWQiOiIyODAiLCJuYW1lc3BhY2VfcGF0aCI6InJlZmxleG9nZXN0IiwicHJvamVjdF9pZCI6IjIzOSIsInByb2plY3RfcGF0aCI6InJlZmxleG9nZXN0L3JlZmxleG9nZXN0X2Zyb250X2VsaXNhIiwidXNlcl9pZCI6IjM0IiwidXNlcl9sb2dpbiI6ImZhYnJpY2UiLCJ1c2VyX2VtYWlsIjoiZmFicmljZUBjb3JlZG1wLm5ldCIsInVzZXJfYWNjZXNzX2xldmVsIjoib3duZXIiLCJwaXBlbGluZV9pZCI6IjIyMTUiLCJwaXBlbGluZV9zb3VyY2UiOiJwdXNoIiwiam9iX2lkIjoiNjc5OSIsInJlZiI6Im1haW4iLCJyZWZfdHlwZSI6ImJyYW5jaCIsInJlZl9wYXRoIjoicmVmcy9oZWFkcy9tYWluIiwicmVmX3Byb3RlY3RlZCI6InRydWUiLCJncm91cHNfZGlyZWN0IjpbIkNoYXQiLCJUb3RvIiwiY3J5cHR1dGlscyIsImNyeXB0dXRpbHMvdHJhbnNmZXJ0ZmFpbGVkIiwiZmx1dHRlci1jb3Vyc2VzIiwiZ2VzdGNvbnRhY3QiLCJvdGhlcnMiLCJwb3J0YWlsIiwicmVmbGV4b2dlc3QiLCJzaW5jZS1sYXN0IiwidHV0b3JpYWxzIl0sImVudmlyb25tZW50Ijoic2FuZGJveCIsImVudmlyb25tZW50X3Byb3RlY3RlZCI6ImZhbHNlIiwiZGVwbG95bWVudF90aWVyIjoib3RoZXIiLCJlbnZpcm9ubWVudF9hY3Rpb24iOiJzdGFydCIsInJ1bm5lcl9pZCI6NCwicnVubmVyX2Vudmlyb25tZW50Ijoic2VsZi1ob3N0ZWQiLCJzaGEiOiJiNmJkMjg4OGMxYWVkOWZkZGFkNGFlYzkyZmE0ZmVhOTcwNDczNzkwIiwicHJvamVjdF92aXNpYmlsaXR5IjoicHJpdmF0ZSIsImNpX2NvbmZpZ19yZWZfdXJpIjoiZ2l0bGFiLXN5bm8uY29yZWRtcC5uZXQvcmVmbGV4b2dlc3QvcmVmbGV4b2dlc3RfZnJvbnRfZWxpc2EvLy5naXRsYWItY2kueW1sQHJlZnMvaGVhZHMvbWFpbiIsImNpX2NvbmZpZ19zaGEiOiJiNmJkMjg4OGMxYWVkOWZkZGFkNGFlYzkyZmE0ZmVhOTcwNDczNzkwIiwianRpIjoiZDc2ZDQyYzMtZDRmNS00NmM3LWFhNTEtMmE3NTY3ZDI1YzkzIiwiaXNzIjoiaHR0cHM6Ly9naXRsYWItc3luby5jb3JlZG1wLm5ldCIsImlhdCI6MTcxNjkyMDI5NSwibmJmIjoxNzE2OTIwMjkwLCJleHAiOjE3MTY5MjM4OTUsInN1YiI6InByb2plY3RfcGF0aDpyZWZsZXhvZ2VzdC9yZWZsZXhvZ2VzdF9mcm9udF9lbGlzYTpyZWZfdHlwZTpicmFuY2g6cmVmOm1haW4iLCJhdWQiOiJodHRwczovL3ZhdWx0LmNvcmVkbXAubmV0In0.sr7hy-sTpT1fD1SVvDe7VyD4IMgef22hziLXvA7NWErOx178S0jMuSdj7jcWJs_ru729pzi0RK6ANUCynFYosRIH6MRJPWRr8bmuI2VvDl8vtvxoDIIgeVlYTa7UBbJJJYQ_j9l8g3uDrd_AzWZN2SOpeU_9EgkI9UIvkYJk99vH5U0UGWd4XK-olb0qB3hSiw1fDxUdHpL0H3XRykVBBxXhEVaM_jlPI2v5Oxtd3DMs9KOnzNIqMaF5_-FWAOwzVlxQ2EdtRuvqbOL8hmyNQLsl50tJKkZR0Aak6C3DtYNGjGTBZKVle7LlZfsRy5barWGGw0lanWqNzZnoo_jQUQ

I was suspected that it is base64 .so try to decode it :

fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat vault_token |base64 -d 
{"kid":"-99cmKOS5z-el1D_DSimqBD2fAvp-fZ_UkqRyRvuX-E","typ":"JWT","alg":"RS256"}base64: invalid input

After some reflexion … i see that there is a “.” inside the b64 … so separate in two part :

fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat vault_token | cut -d '.' -f 1 > first.b64
fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat vault_token | cut -d '.' -f 1 > second.b64

To eliminate error on b64, add some “=” at the end of each file ( two for the first on and one for the second ), and then i got this :

fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat first.b64 | base64 -d|jq
{
  "kid": "-99cmKOS5z-el1D_DSimqBD2fAvp-fZ_UkqRyRvuX-E",
  "typ": "JWT",
  "alg": "RS256"
}
fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ 

and

fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat second.b64 | base64 -d|jq
{
  "namespace_id": "280",
  "namespace_path": "reflexogest",
  "project_id": "239",
  "project_path": "reflexogest/reflexogest_front_elisa",
  "user_id": "34",
  "user_login": "fabrice",
  "user_email": "fabrice@coredmp.net",
  "user_access_level": "owner",
  "pipeline_id": "2215",
  "pipeline_source": "push",
  "job_id": "6799",
  "ref": "main",
  "ref_type": "branch",
  "ref_path": "refs/heads/main",
  "ref_protected": "true",
  "groups_direct": [
    "Chat",
    "Toto",
    "cryptutils",
    "cryptutils/transfertfailed",
    "flutter-courses",
    "gestcontact",
    "others",
    "portail",
    "reflexogest",
    "since-last",
    "tutorials"
  ],
  "environment": "sandbox",
  "environment_protected": "false",
  "deployment_tier": "other",
  "environment_action": "start",
  "runner_id": 4,
  "runner_environment": "self-hosted",
  "sha": "b6bd2888c1aed9fddad4aec92fa4fea970473790",
  "project_visibility": "private",
  "ci_config_ref_uri": "gitlab-syno.coredmp.net/reflexogest/reflexogest_front_elisa//.gitlab-ci.yml@refs/heads/main",
  "ci_config_sha": "b6bd2888c1aed9fddad4aec92fa4fea970473790",
  "jti": "d76d42c3-d4f5-46c7-aa51-2a7567d25c93",
  "iss": "https://gitlab-syno.coredmp.net",
  "iat": 1716920295,
  "nbf": 1716920290,
  "exp": 1716923895,
  "sub": "project_path:reflexogest/reflexogest_front_elisa:ref_type:branch:ref:main",
  "aud": "https://vault.coredmp.net"
}

Well … this is not a Vault token … but the JWK wich should be used for getting the token …

Has anybody any explanation on what i am doing wrong ?

Thanks

Fabrice

We’ve been facing the same issue, have you figured it out in your end?

Actually thanks to this post did learn CI_JOB_JWT == VAULT_ID_TOKEN , it works, well for my terraform jobs which I was using CI_JOB_JWT previously, just replacing it with VAULT_ID_TOKEN works now, well thanks to this post, just in case if it helps anyone else.

Anybody able to advise if this should work with GitLab free version or not? I see at the start of the article Authenticating and reading secrets with HashiCorp Vault | GitLab that the free tier is not listed as it is for other articles.

In my case the VAULT_ID_TOKEN does not appear to be generated as an API request to https://vault.example.com:8200/v1/auth/jwt/login (I have left out my actual domain name) to generate a login session reports status: 400 - missing token

Also, trying to output the VAULT_ID_TOKEN to a file so that it can be read and not listed as [MASKED] gives a blank output.

Can confirm it works with the GitLab.com free tier. I found a few errors in my config, the main two being:

  1. Request body defined but not sent in the request
  2. A space in the GitLab project ID in the JWT role definition.