Using Gitlab version v16.8.1-ee
I have followed the guide written at https://docs.gitlab.com/ee/ci/secrets/azure_key_vault.html to setup the proper app, service principal, and federated identity in Azure. As well as assigned the proper reader and key vault secrets user permission roles for the app.
I have confirmed and verified that I can login and access the key vault and the secrets via AZ CLI in a gitlab-ci job using the credentials generated.
In my .gitlab-ci.yml I have the following job:
get_az_secret:
allow_failure: true
when: manual
variables:
AZURE_KEY_VAULT_SERVER_URL: https://my-magical-keyvault.vault.azure.net
AZURE_CLIENT_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AZURE_TENANT_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
id_tokens:
AZURE_JWT:
aud: https://gitlab.my-selfhosted-domain.com
secrets:
TEST:
token: $AZURE_JWT
azure_key_vault:
name: my-magical-secret
version: 20ad3ea2266041d4b2f8b1eedb41b992
file: false
script:
- echo $TEST
When the job runs, it outputs the following:
Resolving secrets
Resolving secret "TEST"...
WARNING: Not resolved: no resolver that can handle the secret
Gitlab's own documentation doesn't address this particular issue. Neither does Azure.
What exactly does this output warning indicate?
I have attempted to wrap the aud, name, and version values in quotation but that made no difference.
I have also tried different secret names and versions from the same Azure key vault.
I even tried an entirely different Azure key vault.
The problem is related with the runners version. The GCP integration was introduced in GitLab and GitLab Runner 16.8. https://gitlab.com/gitlab-org/gitlab/-/issues/442008. I assume you are using shared runners. Since they didn't upgrade the entire fleet yet it's possible that older runners are running your pipeline.