terraform-provider-vault
terraform-provider-vault copied to clipboard
hashicorp
Remove default empty list for bound_audience
Remove default empty vector for bound_audience cuz is necessary nil to avoid aud check if a jwt don't contain it wich is the gitlab jwt case.
Community Note
Hi guys this is the case if we create this role by hand:
vault write auth/jwt/role/gitlab - <<EOF
{
"role_type": "jwt",
"policies": ["default", "gitlab"],
"token_explicit_max_ttl": 60,
"user_claim": "user_email",
"bound_claims_type": "glob",
"bound_claims": {
"project_path": "infrastructure/vault",
"ref_type": "branch"
}
}
EOF
the config will be:
vault read auth/jwt/role/gitlab
Key Value
--- -----
allowed_redirect_uris <nil>
bound_audiences <nil>
bound_claims map[project_path:infrastructure/vault ref_type:branch]
bound_subject n/a
claim_mappings <nil>
clock_skew_leeway 0
expiration_leeway 0
groups_claim n/a
not_before_leeway 0
oidc_scopes <nil>
role_type jwt
token_bound_cidrs []
token_explicit_max_ttl 1m
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [default gitlab]
token_ttl 0s
token_type default
user_claim email_user
verbose_oidc_logging false
by the other hand if we create it with this provider
resource "vault_jwt_auth_backend_role" "gitlab_role" {
backend = vault_jwt_auth_backend.jwt.path
role_type = "jwt"
role_name = "gitlab"
token_policies = ["default", "gitlab"]
bound_claims = {
project_path = "infrastructure/vault"
ref_type = "branch"
}
token_explicit_max_ttl = 60
user_claim = "email_user"
}
the output will be:
vault read auth/jwt/role/gitlab
Key Value
--- -----
allowed_redirect_uris <nil>
bound_audiences []
bound_claims map[project_path:infrastructure/vault ref_type:branch]
bound_subject n/a
claim_mappings <nil>
clock_skew_leeway 0
expiration_leeway 0
groups_claim n/a
not_before_leeway 0
oidc_scopes <nil>
role_type jwt
token_bound_cidrs []
token_explicit_max_ttl 1m
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [default gitlab]
token_ttl 0s
token_type default
user_claim email_user
verbose_oidc_logging false
What's the problem with this default empty vector:
- vault will try to validate the bound_audiences because is not "<nil>"
- And in the case of gitlab jwt configured automatically set in any job as CI_JOB_JWT which wont contain the bound_audiences param the whole integration fails just like this:
Error writing data to auth/jwt/login: Error making API request.
URL: PUT https://vault_server/v1/auth/jwt/login
Code: 400. Errors:
* error validating claims: aud claim does not match any bound audience
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement
Learn more about why HashiCorp requires a CLA and what the CLA includes
Jorge Medina seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
Have you signed the CLA already but the status is still pending? Recheck it.
@mnothic Hi, thanks for the contribution! If you are willing to sign the CLA we can try to get this merged.
