Azure Keyvault Secrets JWT error
Summary
JWT token for Azure Keyvault Secrets returns 400
Steps to reproduce
Using the below pipeline, the script works using either id_tokens or the older CI_JOB_JWT_V2 variable. The secrets portion fails. Various attempts have been made here and are included. Using the official document here: https://docs.gitlab.com/ee/ci/secrets/azure_key_vault/ and the oicd setup doc here: https://docs.gitlab.com/ee/ci/cloud_services/azure/index.html
(FYI, the link to the oidc setup on the azure_key_vault page is incorrect - it has /ci/ci/ in it's path)
example pipeline:
stages:
- prepare
job2:
stage: prepare
image: mcr.microsoft.com/azure-cli:latest
# secrets:
# testpassword:
# token: $GITLAB_OIDC_TOKEN
# token: GITLAB_OIDC_TOKEN
# azure_key_vault:
# name: 'test-secret'
# version: '<secret_version_id>'
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://gitlab.com
# aud: 'azure'
script:
- az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN
# - az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $CI_JOB_JWT_V2
- az account show
- az keyvault secret list --vault-name '<keyvault_name>'
- echo $testpassword
CI_CD variables set:
- AZURE_CLIENT_ID
- AZURE_TENANT_ID
- AZURE_KEYVAULT_SERVER_URL
- VAULT_SERVER_URL
What is the current bug behavior?
When using the secrets keyword it errors with the following:
ERROR: Job failed (system failure): resolving secrets: getting secret failed: ClientAssertionCredential authentication failed
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
"error": "invalid_request",
"error_description": "AADSTS50027: JWT token is invalid or malformed.\r\nTrace ID: 46062437-81ca-4007-b4e0-a3cbb2b44100\r\nCorrelation ID: 6d3ef9e7-ab2e-4562-ad8f-943dd72f4e17\r\nTimestamp: 2023-09-11 10:03:44Z",
"error_codes": [
50027
],
"timestamp": "2023-09-11 10:03:44Z",
"trace_id": "46062437-81ca-4007-b4e0-a3cbb2b44100",
"correlation_id": "6d3ef9e7-ab2e-4562-ad8f-943dd72f4e17",
"error_uri": "https://login.microsoftonline.com/error?code=50027"
}
CI_DEBUG_TRACE does not produce any more logs
What is the expected correct behavior?
It successfully reads a secret
This bug happens on GitLab.com
Edited by Adam Smith