Vault & GitLab CI integration using JWT

I have used an integration with GitLab CI, and all existing works fine. But when I add a new project and want to integrate CI, this error starts occurring:

{"errors":["error validating token: invalid audience (aud) claim: audience claim does not match any expected audience"]}

What we do:

  • Added new kv ‘group’

  • Added new auth role to policies (gitlab-prod):

path "kv/scrapper/* " {
  capabilities = ["read" ]
 }
  • execute command to configure role:
vault write auth/jwt/role/scrapper - <<EOF 
{ 
  "role_type": "jwt", 
  "policies": ["gitlab-prod"], 
  "token_explicit_max_ttl": 60, 
  "bound_claims_type": "glob", 
  "bound_claims": { 
    "project_id": "***", 
    "ref": "prod", 
    "ref_type": "branch" 
  }, 
  "user_claim": "sub", 
  "bound_audiences": "https://gitlab.com" 
} 
EOF
  • during CI I want to connect with Vault using this way in bash script:
# Store Vault address, auth role, etc.
VAULT_ADDR="***"
VAULT_AUTH_ROLE="scrapper"
VAULT_SECRETS_PATH="kv/scrapper/data/secrets?version=1"
# path for new keys

# Set Vault Token by Gitlab JWT
VAULT_LOGIN_URL="${VAULT_ADDR}/v1/auth/jwt/login"
VAULT_LOGIN_DATA="{\"role\": \"${VAULT_AUTH_ROLE}\", \"jwt\": \"${CI_JOB_JWT_V2}\"}"
VAULT_LOGIN_OUTPUT=$(curl --request POST --data "${VAULT_LOGIN_DATA}" ${VAULT_LOGIN_URL})
VAULT_TOKEN=$(echo $VAULT_LOGIN_OUTPUT | jq -r ".auth.client_token")
VAULT_TOKEN_HEADER="X-Vault-Token: ${VAULT_TOKEN}"

But the login response gives this error:

{"errors":["error validating token: invalid audience (aud) claim: audience claim does not match any expected audience"]}

Probably there is a issue connected to JWT generated by GitLab runner (CI_JOB_JWT_V2), but our previous integrations work fine and use the same way.