Vault JWT issuer claim (ISS) differs between id_tokens and secrets
Summary
Im trying to call the vault CLI from the runner to sign a SSH certificate. I can fetch secrets using the secrets: configuration but when I manually try to call the login action from the runner with an id_token I get an error:
URL: PUT https://[MASKED]/v1/auth/gitlab/login Code: 400. Errors:
- error validating token: invalid issuer (iss) claim
Turns out that the JWT for secrets contains "gitlab.com" as the issuer and a JWT from id_tokens contains "https://gitlab.com" as the issuer.
I expect these to be the same, or al least configurable so I can force them to be the same.
If I look at the documentation, I would also expect them to be the same https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html
| iss | Issuer of the token, which is the domain of the GitLab instance (“issuer” claim). |
https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/index.html#how-it-works
| iss | Always | Issuer, the domain of your GitLab instance |
Steps to reproduce
.gitlab-ci.yml
failingJob:
secrets:
SOME_SECRET:
vault: path/to/secret@kv
id_tokens:
VAULT_JWT_TOKEN:
aud: https://gitlab.com
script:
- vault write -address=$VAULT_SERVER_URL -field=token auth/gitlab/login role=vault-role jwt="$VAULT_JWT_TOKEN" > ~/.vault-tokenActual behavior
The secret is fetched successfully, but the login command in the script fails with a 400 error.
Expected behavior
I expect the ID token to have the same issuer as the JWT used for secrets.
Environment description
Environment: gitlab.com
Runner: gitlab/gitlab-runner:latest on local docker server (Version: 16.9.1, Git revision: 782c6ecb)