id_tokens and hasicorp vault wrong iss
We're using the gitlab.com solutions. With the folloing in a .gitlab-ci.yml
id_tokens:
VAULT_ID_TOKEN:
aud: https://gitlab.com
secrets:
TEST:
vault: /user/test@00-common
token: $VAULT_ID_TOKEN
file: falseit work when in vault we have the 'Bound issuer' set too 'gitlab.com'. But in the JWT token that is created the ISS is set too 'https://gitlab.com'. When we set 'Bound issuer' too 'https://gitlab.com' it breaks with a error : 'ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: authenticating Vault client: writing to Vault: api error: status code 400: error validating token: invalid issuer (iss) claim'
The trouble is that when we want too use a id_token in a ansible playbook too connect too vault the ISS and 'Bound issuer' need too be the same.
So vault will work for secrets (and not ansible) or work for ansible (and not gitlab secrets).
Secrets should work when iss and bound issuer are set the same