Skip to content

GitLab CI/CD integration Vault shows Permission Denied

Dear team

When i try to integration Vault in CI/CD and read secrets from Vault, i got the permission denied message. My configuration follows https://docs.gitlab.com/ee/ci/secrets/index.html.

Step 1

I enabled the jwt and create the jwt configuration:

$ vault auth enable jwt

$ vault write auth/jwt/config \
  jwks_url="https://gitlab.example.com/-/jwks" \
  bound_issuer="gitlab.example.com"

Step 2

I created the policy:

/ # vault policy write aws-cred -<< EOF
> path "jh/aws-credentials" {
> capabilities = [ "read" ]
> }
> EOF

Step 3

i created my role:

/ # vault write auth/jwt/role/aws -<< EOF
> {
>   "role_type": "jwt",
>   "policies": ["aws-cred"],
>   "token_explicit_max_ttl": 60,
>   "user_claim": "user_login",
>   "bound_claims_type": "glob",
>   "bound_claims": {
>     "project_id": "59768",
>     "ref": "main",
>     "ref_type": "branch"
>    }
> }
> EOF

Step 5

Configure the CI/CD variable

Screen_Shot_2022-10-20_at_10.54.29_PM

Step 4

My .gitlab-ci.yml file is as below:

get_credentials:
  stage: pre-work
  tags:
    - aws
  secrets:
    ACCESS-SECRET-KEY-ID: 
      vault: aws-credentials/access-key-id@jh
  image: 
    name: vault:latest
  script:
    - echo $ACCESS-SECRET-KEY-ID

But get the failure build:

Screen_Shot_2022-10-20_at_10.55.04_PM

However all the data will be available if using the below script command:

read_secrets:
  image: vault:latest
  script:
    # Check job's ref name
    - echo $CI_COMMIT_REF_NAME
    # and is this ref protected
    - echo $CI_COMMIT_REF_PROTECTED
    # Vault's address can be provided here or as CI/CD variable
    - export VAULT_ADDR=http://vault.example.com:8200
    # Authenticate and get token. Token expiry time and other properties can be configured
    # when configuring JWT Auth - https://www.vaultproject.io/api-docs/auth/jwt#parameters-1
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=myproject-production jwt=$CI_JOB_JWT)"
    # Now use the VAULT_TOKEN to read the secret and store it in environment variable
    - export PASSWORD="$(vault kv get -field=password secret/myproject/production/db)"
    # Use the secret
    - echo $PASSWORD

That's means secret:vault keywords does not work. From gitlab forum, it seems i am not the only one who met this issue and nobody got the right answer to fix this issue.

Any suggestion on how to use secrets:vault keywords correctly?