Hey Mates,
i try to get secrets from vault in my pipeline. We use a self hosted free edition of Gitlab and i was wondering, if maybe this is the problem.
I try the following:
export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=${VAULT_ROLE} jwt=$CI_JOB_JWT)"
And get the following error:
Error writing data to auth/jwt/login: Error making API request.
URL: PUT URL/v1/auth/jwt/login
Code: 400. Errors:
* missing token
Does someone have a solution and can help me, this would make my day 
Cheers
Tobeje
Hi,
you can try the official integration instead of some woodoo - here: Using external secrets in CI | GitLab
Hey balonik,
Unfortunately this is a premium feature, the configuration seems to be for all tiers, but the “Use Vault secrets in a CI job” only for premium. Or maybe I’m missing something…
I realize this is a 4y old thread, but it comes up in search, so adding this for anyone later.
The missing token error from auth/jwt/login means the request reached Vault with an empty jwt field, so $CI_JOB_JWT was empty in that job. It wasn’t a tier limitation: the manual vault write auth/jwt/login … jwt=… flow works on all tiers. Maybe you hit this or a related bug?
Today you don’t use CI_JOB_JWT at all (deprecated in 15.9, removed in 17.0). You mint the token explicitly with an id_tokens block and reference that variable:
auth_job:
id_tokens:
VAULT_ID_TOKEN:
aud: https://vault.example.com # must match the role's bound_audiences
script:
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=$VAULT_ROLE jwt=$VAULT_ID_TOKEN)"
If it still comes back empty, the id_token variable name or the aud is usually the culprit.