Azure Keyvault Secrets JWT error (#424746) · Issues · GitLab.org / GitLab

Azure Keyvault Secrets JWT error

### Summary JWT token for Azure Keyvault Secrets returns 400 ### Steps to reproduce Using the below pipeline, the script works using either id_tokens or the older CI_JOB_JWT_V2 variable. The secrets portion fails. Various attempts have been made here and are included. Using the official document here: https://docs.gitlab.com/ee/ci/secrets/azure_key_vault/ and the oicd setup doc here: https://docs.gitlab.com/ee/ci/cloud_services/azure/index.html (FYI, the link to the oidc setup on the azure_key_vault page is incorrect - it has /ci/ci/ in it's path) example pipeline: ``` stages: - prepare job2: stage: prepare image: mcr.microsoft.com/azure-cli:latest # secrets: # testpassword: # token: $GITLAB_OIDC_TOKEN # token: GITLAB_OIDC_TOKEN # azure_key_vault: # name: 'test-secret' # version: '<secret_version_id>' id_tokens: GITLAB_OIDC_TOKEN: aud: https://gitlab.com # aud: 'azure' script: - az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN # - az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $CI_JOB_JWT_V2 - az account show - az keyvault secret list --vault-name '<keyvault_name>' - echo $testpassword ``` CI_CD variables set: - AZURE_CLIENT_ID - AZURE_TENANT_ID - AZURE_KEYVAULT_SERVER_URL - VAULT_SERVER_URL ### What is the current *bug* behavior? When using the secrets keyword it errors with the following: ``` ERROR: Job failed (system failure): resolving secrets: getting secret failed: ClientAssertionCredential authentication failed POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token -------------------------------------------------------------------------------- RESPONSE 400 Bad Request -------------------------------------------------------------------------------- { "error": "invalid_request", "error_description": "AADSTS50027: JWT token is invalid or malformed.\r\nTrace ID: 46062437-81ca-4007-b4e0-a3cbb2b44100\r\nCorrelation ID: 6d3ef9e7-ab2e-4562-ad8f-943dd72f4e17\r\nTimestamp: 2023-09-11 10:03:44Z", "error_codes": [ 50027 ], "timestamp": "2023-09-11 10:03:44Z", "trace_id": "46062437-81ca-4007-b4e0-a3cbb2b44100", "correlation_id": "6d3ef9e7-ab2e-4562-ad8f-943dd72f4e17", "error_uri": "https://login.microsoftonline.com/error?code=50027" } ``` CI_DEBUG_TRACE does not produce any more logs ### What is the expected *correct* behavior? It successfully reads a secret This bug happens on GitLab.com

issue