Vault Token

NiklasRosenstein · May 29, 2026, 11:37pm

I realize this is a 4y old thread, but it comes up in search, so adding this for anyone later.

The missing token error from auth/jwt/login means the request reached Vault with an empty jwt field, so $CI_JOB_JWT was empty in that job. It wasn’t a tier limitation: the manual vault write auth/jwt/login … jwt=… flow works on all tiers. Maybe you hit this or a related bug?

Today you don’t use CI_JOB_JWT at all (deprecated in 15.9, removed in 17.0). You mint the token explicitly with an id_tokens block and reference that variable:


auth_job:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.example.com   # must match the role's bound_audiences
  script:
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=$VAULT_ROLE jwt=$VAULT_ID_TOKEN)"

If it still comes back empty, the id_token variable name or the aud is usually the culprit.

Topic		Replies	Views
The secrets provider can not be found GitLab CI/CD ci	2	8350	March 2, 2021
Unable to get Premium Vault integration working [solved - unrelated to GitLab] GitLab CI/CD ci	3	2200	June 9, 2022
"unknown keys: secrets" when trying to use Vault Secrets with Terraform template in a gitlab-ci.yml GitLab CI/CD	2	1968	September 4, 2024
Vault gitlab 17.x ce and jwt GitLab CI/CD	5	1623	April 25, 2025
GitLab CI Vault Integration does not work as expected GitLab CI/CD runner	5	5834	January 5, 2022

Vault Token

Related topics