Skip to content

Azure Keyvault Secrets JWT error

Summary

JWT token for Azure Keyvault Secrets returns 400

Steps to reproduce

Using the below pipeline, the script works using either id_tokens or the older CI_JOB_JWT_V2 variable. The secrets portion fails. Various attempts have been made here and are included. Using the official document here: https://docs.gitlab.com/ee/ci/secrets/azure_key_vault/ and the oicd setup doc here: https://docs.gitlab.com/ee/ci/cloud_services/azure/index.html

(FYI, the link to the oidc setup on the azure_key_vault page is incorrect - it has /ci/ci/ in it's path)

example pipeline:

stages:
  - prepare

job2:
  stage: prepare
  image: mcr.microsoft.com/azure-cli:latest
#   secrets:
#     testpassword:
#       token: $GITLAB_OIDC_TOKEN
#       token: GITLAB_OIDC_TOKEN 
#       azure_key_vault:
#         name: 'test-secret'
#         version: '<secret_version_id>'
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
#     aud: 'azure'
  script:
    - az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN
#    - az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $CI_JOB_JWT_V2
    - az account show
    - az keyvault secret list --vault-name '<keyvault_name>'
    - echo $testpassword

CI_CD variables set:

  • AZURE_CLIENT_ID
  • AZURE_TENANT_ID
  • AZURE_KEYVAULT_SERVER_URL
  • VAULT_SERVER_URL

What is the current bug behavior?

When using the secrets keyword it errors with the following:

ERROR: Job failed (system failure): resolving secrets: getting secret failed: ClientAssertionCredential authentication failed
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
  "error": "invalid_request",
  "error_description": "AADSTS50027: JWT token is invalid or malformed.\r\nTrace ID: 46062437-81ca-4007-b4e0-a3cbb2b44100\r\nCorrelation ID: 6d3ef9e7-ab2e-4562-ad8f-943dd72f4e17\r\nTimestamp: 2023-09-11 10:03:44Z",
  "error_codes": [
    50027
  ],
  "timestamp": "2023-09-11 10:03:44Z",
  "trace_id": "46062437-81ca-4007-b4e0-a3cbb2b44100",
  "correlation_id": "6d3ef9e7-ab2e-4562-ad8f-943dd72f4e17",
  "error_uri": "https://login.microsoftonline.com/error?code=50027"
}

CI_DEBUG_TRACE does not produce any more logs

What is the expected correct behavior?

It successfully reads a secret

This bug happens on GitLab.com

Edited by Adam Smith