Search code examples

GitLab CI can't access Vault

GitLab Community Edition 14.2.7

curl -s -k -X GET

In Vault:

Created a secret: vault kv put secret/projects/test/mariadb login=user password=pass

Created a policy:

vault policy write project-test - <<EOF
path "secret/projects/test/*" {
  capabilities = [ "read" ]

And created a JWT role:

vault write auth/jwt/role/project-test - <<EOF
  "role_type": "jwt",
  "policies": ["project-test"],
  "token_explicit_max_ttl": 60,
  "user_claim": "",
  "bound_claims": {
    "project_id": "321",
    "ref": "main",
    "ref_type": "branch"
vault write auth/jwt/config jwks_url="" bound_issuer=""

project_id is correct, main branch.

In GitLab CI:

  - test_vault

  stage: test_vault
    - echo $CI_COMMIT_REF_NAME
    - export VAULT_ADDR=
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=project-test jwt=$CI_JOB_JWT)"
    - export LOGIN="$(vault kv get -field=login secret/projects/test/mariadb)"
    - export PASSWORD="$(vault kv get -field=password secret/projects/test/mariadb)"
    - echo $LOGIN
    - echo $PASSWORD

At the output, I get 403 everywhere. Where does it not give access? The Vault logs are silent.

$ export VAULT_ADDR=
$ export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=project-test jwt=$CI_JOB_JWT)"
Error writing data to auth/jwt/login: Error making API request.
Code: 400. Errors:
* claim "" not found in token

I see that it swears at claim "" not found in token, but it's not clear where to get the correct user_claim?


  • The authorization policy for the GitlabCI role with JWT/OIDC authentication is slightly wrong. It appears that you replaced the user_email with a literal email address. That value was not a placeholder, but rather an instruction for Vault to associate the token with the associated email of the user triggering the authentication:

      "role_type": "jwt",
      "policies": ["project-test"],
      "token_explicit_max_ttl": 60,
      "user_claim": "user_email",
      "bound_claims": {
        "project_id": "321",
        "ref": "main",
        "ref_type": "branch"

    There may be another issue after this one, but the rest of your configuration LGTM, and this will move you past your current blocker.