Search code examples
github-actionsopenid-connecthashicorp-vault

Authenticating github actions to vault fails when an environment is set in the job

Having issues where if I specify an environment for a github actions job I can no longer authenticate to vault using JWT auth.

This is how we have vault set up...

module "github-actions" {
  source               = "../../module/github-actions"
  vault_addr           = local.vault_addr
  env                  = local.env
  application_name     = local.application_name
  role                 = format("%s-%s-onboarding", local.env, local.application_name)
  github_oidc_bindings = [
    {
      audience : "https://github.com/organization-name",
      vault_role_name : "vault-role-name",
      bound_subject : "repo:organization-name/repo-name:ref:refs/heads/main",
      vault_policies : [
        "vault-policy-name"
      ]
    }
  ]
}

I'm using the latest (2.5.0) vault-action from hashicorp, which is set up like this...

- name: get_secret
        id: get_secret
        uses: hashicorp/[email protected]
        with:
          url: ${{ env.VAULT_ADDR }}
          namespace: ${{ env.VAULT_NAMESPACE }}
          role: ${{ env.VAULT_ROLE }}
          method: jwt
          path: github-actions
          secrets: |
            secret/data/api/path secret_name

This all works fine and the action is able to authenticate and retrieve the secret, until I specify an environment for the job in the workflow file, so if I was to add the following to the job definition...

environment: production

I then get the following error returned from vault indicating that the claim sent by github doesn't match the bound_subject set in the vault config...

Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 400 (Bad Request), vaultResponse: {"errors":["error validating claims: claim "sub" does not match any associated bound claim values"]}

So my question is what should the bound_claims look like for jobs using environments as it appears that this changes depending on the environment used. I don't seem to be able to find any documentation on this at all.

Solution

  • Finally figured this out, turns out that if you specify an environment for your jobs, then the subject claim in the jwt/oidc token changes from:

    repo:organization-name/repo-name:ref:refs/heads/main

    to...

    repo:organization-name/repo-name:environment:env_name

    So I updated the bound_claims in the github-actions module config in vault to include both the repo and the environment (could also use a wildcard if you wanted) and now the auth works.