HashiCorp Vault Inegration issue with GitLlab

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

We are using GitLab Enterprise Edition 15.1.2-ee and hashiCorpVault v1.11.1 for the integration. For the test Vaullt-Test project created and create file called .gitlab-ci.yml and update the below details and did the config in vault as per the documentation - https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/ `

image: vault:latest

read_secrets:
  script:
    # Check job's ref name
    - echo $CI_COMMIT_REF_NAME
    # and is this ref protected
    - echo $CI_COMMIT_REF_PROTECTED
    # Vault's address can be provided here or as CI/CD variable
    - export VAULT_ADDR=http://10.222.28.31:8200
        # Authenticate and get token. Token expiry time and other properties can be configured
    # when configuring JWT Auth - https://www.vaultproject.io/api-docs/auth/jwt#parameters-1
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=myproject-production jwt=$CI_JOB_JWT_V2)"
    - echo $VAULT_TOKEN
    # Now use the VAULT_TOKEN to read the secret and store it in an environment variable
    - export PASSWORD="$(vault kv get -field=password kv/prod)"
    # Use the secret
    - echo $PASSWORD

This is the error whe seen in the CI/CD pipeline


Error writing data to auth/jwt/login: Error making API request.
URL: PUT http://10.222.28.31:8200/v1/auth/jwt/login
Code: 400. Errors:
* error validating token: invalid issuer (iss) claim

Full Details of CI/CD pipeline:


Running with gitlab-runner 15.2.0 (7f093137)
  on git-lab-server-dagoba.ole.redhat.com nzv_8M_t
Preparing the "docker" executor
00:16
Using Docker executor with image vault:latest ...
Pulling docker image vault:latest ...
Using docker image sha256:110083e80db2708862990fa140cc3d77f5d7e49e42b798b3c9430cd15ab36d23 for vault:latest with digest docker.io/library/vault@sha256:3431c4abf0626b6dcdc5e089b50f45f42b02e70c0e8e052dbfa7b286112b783c ...
Preparing environment
00:02
Running on runner-nzv8mt-project-2-concurrent-0 via git-lab-server-dagoba.ole.redhat.com...
Getting source from Git repository
00:16
Fetching changes with git depth set to 20...
Reinitialized existing Git repository in /builds/gitlab-instance-40c6af94/vault-test/.git/
Checking out 35176a08 as main...
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:21
Using docker image sha256:110083e80db2708862990fa140cc3d77f5d7e49e42b798b3c9430cd15ab36d23 for vault:latest with digest docker.io/library/vault@sha256:3431c4abf0626b6dcdc5e089b50f45f42b02e70c0e8e052dbfa7b286112b783c ...
$ echo $CI_COMMIT_REF_NAME
main
$ echo $CI_COMMIT_REF_PROTECTED
true
$ export VAULT_ADDR=http://10.222.28.31:8200
$ export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=myproject-production jwt=$CI_JOB_JWT_V2)"
Error writing data to auth/jwt/login: Error making API request.
URL: PUT http://10.222.28.31:8200/v1/auth/jwt/login
Code: 400. Errors:
* error validating token: invalid issuer (iss) claim
$ echo $VAULT_TOKEN
Job succeeded

Edited Jul 29, 2025 by 🤖 GitLab Bot 🤖