Hello,
Has you now support for CI JWT variable has been remove … and i cannot manage to make the ID_TOKEN work,
here what i have in my gitlab (for the deployment )
deploy-sb:
variables:
VAULT_SERVER_URL: https://vault.coredmp.net
VAULT_AUTH_PATH: jwt
VAULT_AUTH_ROLE: reflexogest_front_elisa_dep_sandbox
VAULT_NAMESPACE: ""
id_tokens:
VAULT_ID_TOKEN:
aud: https://vault.coredmp.net
script:
- env
- TAG=v$(cat VERSION)
- echo "$VAULT_ID_TOKEN" > vault_token
- /bin/sh scripts/deploy_env.sh "reflexogest_front_elisa" "ovh-01.coredmp.net" "/home/reflexogest_front_elisa_sandbox" "sandbox" $TAG
environment:
name: sandbox
url: https://sanbox.reflexo-elizen.fr
on_stop: stop-sb
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: always
artifacts:
paths:
- vault_token
when: always
expire_in: "30 days"
The congiruation of the Vault seems ok as i can get my secret using a generated token.
My problem is that i get this inside “vault_token” artefact
eyJraWQiOiItOTljbUtPUzV6LWVsMURfRFNpbXFCRDJmQXZwLWZaX1VrcVJ5UnZ1WC1FIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJuYW1lc3BhY2VfaWQiOiIyODAiLCJuYW1lc3BhY2VfcGF0aCI6InJlZmxleG9nZXN0IiwicHJvamVjdF9pZCI6IjIzOSIsInByb2plY3RfcGF0aCI6InJlZmxleG9nZXN0L3JlZmxleG9nZXN0X2Zyb250X2VsaXNhIiwidXNlcl9pZCI6IjM0IiwidXNlcl9sb2dpbiI6ImZhYnJpY2UiLCJ1c2VyX2VtYWlsIjoiZmFicmljZUBjb3JlZG1wLm5ldCIsInVzZXJfYWNjZXNzX2xldmVsIjoib3duZXIiLCJwaXBlbGluZV9pZCI6IjIyMTUiLCJwaXBlbGluZV9zb3VyY2UiOiJwdXNoIiwiam9iX2lkIjoiNjc5OSIsInJlZiI6Im1haW4iLCJyZWZfdHlwZSI6ImJyYW5jaCIsInJlZl9wYXRoIjoicmVmcy9oZWFkcy9tYWluIiwicmVmX3Byb3RlY3RlZCI6InRydWUiLCJncm91cHNfZGlyZWN0IjpbIkNoYXQiLCJUb3RvIiwiY3J5cHR1dGlscyIsImNyeXB0dXRpbHMvdHJhbnNmZXJ0ZmFpbGVkIiwiZmx1dHRlci1jb3Vyc2VzIiwiZ2VzdGNvbnRhY3QiLCJvdGhlcnMiLCJwb3J0YWlsIiwicmVmbGV4b2dlc3QiLCJzaW5jZS1sYXN0IiwidHV0b3JpYWxzIl0sImVudmlyb25tZW50Ijoic2FuZGJveCIsImVudmlyb25tZW50X3Byb3RlY3RlZCI6ImZhbHNlIiwiZGVwbG95bWVudF90aWVyIjoib3RoZXIiLCJlbnZpcm9ubWVudF9hY3Rpb24iOiJzdGFydCIsInJ1bm5lcl9pZCI6NCwicnVubmVyX2Vudmlyb25tZW50Ijoic2VsZi1ob3N0ZWQiLCJzaGEiOiJiNmJkMjg4OGMxYWVkOWZkZGFkNGFlYzkyZmE0ZmVhOTcwNDczNzkwIiwicHJvamVjdF92aXNpYmlsaXR5IjoicHJpdmF0ZSIsImNpX2NvbmZpZ19yZWZfdXJpIjoiZ2l0bGFiLXN5bm8uY29yZWRtcC5uZXQvcmVmbGV4b2dlc3QvcmVmbGV4b2dlc3RfZnJvbnRfZWxpc2EvLy5naXRsYWItY2kueW1sQHJlZnMvaGVhZHMvbWFpbiIsImNpX2NvbmZpZ19zaGEiOiJiNmJkMjg4OGMxYWVkOWZkZGFkNGFlYzkyZmE0ZmVhOTcwNDczNzkwIiwianRpIjoiZDc2ZDQyYzMtZDRmNS00NmM3LWFhNTEtMmE3NTY3ZDI1YzkzIiwiaXNzIjoiaHR0cHM6Ly9naXRsYWItc3luby5jb3JlZG1wLm5ldCIsImlhdCI6MTcxNjkyMDI5NSwibmJmIjoxNzE2OTIwMjkwLCJleHAiOjE3MTY5MjM4OTUsInN1YiI6InByb2plY3RfcGF0aDpyZWZsZXhvZ2VzdC9yZWZsZXhvZ2VzdF9mcm9udF9lbGlzYTpyZWZfdHlwZTpicmFuY2g6cmVmOm1haW4iLCJhdWQiOiJodHRwczovL3ZhdWx0LmNvcmVkbXAubmV0In0.sr7hy-sTpT1fD1SVvDe7VyD4IMgef22hziLXvA7NWErOx178S0jMuSdj7jcWJs_ru729pzi0RK6ANUCynFYosRIH6MRJPWRr8bmuI2VvDl8vtvxoDIIgeVlYTa7UBbJJJYQ_j9l8g3uDrd_AzWZN2SOpeU_9EgkI9UIvkYJk99vH5U0UGWd4XK-olb0qB3hSiw1fDxUdHpL0H3XRykVBBxXhEVaM_jlPI2v5Oxtd3DMs9KOnzNIqMaF5_-FWAOwzVlxQ2EdtRuvqbOL8hmyNQLsl50tJKkZR0Aak6C3DtYNGjGTBZKVle7LlZfsRy5barWGGw0lanWqNzZnoo_jQUQ
I was suspected that it is base64 .so try to decode it :
fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat vault_token |base64 -d
{"kid":"-99cmKOS5z-el1D_DSimqBD2fAvp-fZ_UkqRyRvuX-E","typ":"JWT","alg":"RS256"}base64: invalid input
After some reflexion … i see that there is a “.” inside the b64 … so separate in two part :
fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat vault_token | cut -d '.' -f 1 > first.b64
fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat vault_token | cut -d '.' -f 1 > second.b64
To eliminate error on b64, add some “=” at the end of each file ( two for the first on and one for the second ), and then i got this :
fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat first.b64 | base64 -d|jq
{
"kid": "-99cmKOS5z-el1D_DSimqBD2fAvp-fZ_UkqRyRvuX-E",
"typ": "JWT",
"alg": "RS256"
}
fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$
and
fabrice@garfield-ubuntu:~/Downloads/artifacts (1)$ cat second.b64 | base64 -d|jq
{
"namespace_id": "280",
"namespace_path": "reflexogest",
"project_id": "239",
"project_path": "reflexogest/reflexogest_front_elisa",
"user_id": "34",
"user_login": "fabrice",
"user_email": "fabrice@coredmp.net",
"user_access_level": "owner",
"pipeline_id": "2215",
"pipeline_source": "push",
"job_id": "6799",
"ref": "main",
"ref_type": "branch",
"ref_path": "refs/heads/main",
"ref_protected": "true",
"groups_direct": [
"Chat",
"Toto",
"cryptutils",
"cryptutils/transfertfailed",
"flutter-courses",
"gestcontact",
"others",
"portail",
"reflexogest",
"since-last",
"tutorials"
],
"environment": "sandbox",
"environment_protected": "false",
"deployment_tier": "other",
"environment_action": "start",
"runner_id": 4,
"runner_environment": "self-hosted",
"sha": "b6bd2888c1aed9fddad4aec92fa4fea970473790",
"project_visibility": "private",
"ci_config_ref_uri": "gitlab-syno.coredmp.net/reflexogest/reflexogest_front_elisa//.gitlab-ci.yml@refs/heads/main",
"ci_config_sha": "b6bd2888c1aed9fddad4aec92fa4fea970473790",
"jti": "d76d42c3-d4f5-46c7-aa51-2a7567d25c93",
"iss": "https://gitlab-syno.coredmp.net",
"iat": 1716920295,
"nbf": 1716920290,
"exp": 1716923895,
"sub": "project_path:reflexogest/reflexogest_front_elisa:ref_type:branch:ref:main",
"aud": "https://vault.coredmp.net"
}
Well … this is not a Vault token … but the JWK wich should be used for getting the token …
Has anybody any explanation on what i am doing wrong ?
Thanks
Fabrice