Skip to content

Unclear Info in Deprecations page for "HashiCorp Vault integration will no longer use CI_JOB_JWT by default" section.

The Issue

On the deprecation page, in the HashiCorp Vault integration will no longer use CI_JOB_JWT by default section it states the following:

To be prepared for this change, you should do the following before GitLab 16.0:

  • Disable the use of JSON web tokens in the pipeline.
  • Ensure the bound audience is prefixed with https://.
  • Use the new id_tokens keyword and configure the aud claim

I believe that "bound audience" in the 2nd bullet point should be "bound issuer" and made clearer that it's the bound_issuer key of the Vault JWT auth config OR, if the 2nd bullet is indeed true, a 4th bullet should be added describing that a user may need to update the Vault JWT auth config to include the prefix as well.

My Findings

I was attempting to implement the new id_tokens auth method for the native Gitlab/Hashicorp Vault integration (I'm using Gitlab SaaS). When I did so I was getting the following error:
image

I had followed the steps to enable automatic ID token authentication and had configure my pipeline job appropriately. My Vault JWT auth config is below:

image

NOTE: the above JWT auth config works just fine for the old method of auth that's being deprecated in Gitlab 16.0.

My Resolution

I resolved the issue and was able to connect successfully to my Vault instance using the new id_tokens auth method once I updated my Vault JWT auth config to include the "https://" prefix for the bound_issuer key.

image
image

Related Issue

I am aware of #335186 (closed) which discusses (in wonderful detail!) the evolution of the value of the issuer claim for JWT tokens. This is largely what lead me to realize I needed to update my bound_issuer key to include the https:// prefix. I'm hoping to maybe save other the confusion by getting some documentation updated to be a little more clear.

Edited by Jakob McCarty
OSZAR »