GitLab Community Edition 14.2.7
curl -s -k -X GET https://gitlab.domain.com/-/jwks
{"keys":[{"kty":"RSA","kid":"xUeI9jobL................194Xg0gj5DSct8O__KR6I8RoTTBACp1lRYSlBO4w","use":"sig","alg":"RS256"}]}
在拱顶:
创建了一个秘密:vault kv put secret/projects/test/mariadb login=user password=pass
创建策略:
vault policy write project-test - <<EOF
path "secret/projects/test/*" {
capabilities = [ "read" ]
}
EOF
创建JWT角色:
vault write auth/jwt/role/project-test - <<EOF
{
"role_type": "jwt",
"policies": ["project-test"],
"token_explicit_max_ttl": 60,
"user_claim": "my@mail.com",
"bound_claims": {
"project_id": "321",
"ref": "main",
"ref_type": "branch"
}
}
EOF
vault write auth/jwt/config jwks_url="https://gitlab.domain.com/-/jwks" bound_issuer="gitlab.domain.com"
project_id是正确的,主分支。
In GitLab CI:
stages:
- test_vault
test:
stage: test_vault
script:
- echo $CI_COMMIT_REF_NAME
- export VAULT_ADDR=https://k8s.domain.com:8700
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=project-test jwt=$CI_JOB_JWT)"
- export LOGIN="$(vault kv get -field=login secret/projects/test/mariadb)"
- export PASSWORD="$(vault kv get -field=password secret/projects/test/mariadb)"
- echo $LOGIN
- echo $PASSWORD
在输出中,到处都是403。哪里不允许访问?
$ export VAULT_ADDR=https://k8s.domain.com:8700
$ export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=project-test jwt=$CI_JOB_JWT)"
Error writing data to auth/jwt/login: Error making API request.
URL: PUT https://k8s.domain.com:8700/v1/auth/jwt/login
Code: 400. Errors:
* claim "my@mail.com" not found in token
我看到它在claim "my@mail.com" not found in token发誓,但不清楚在哪里得到正确的user_claim?
使用JWT/OIDC身份验证的GitlabCI角色的授权策略有点错误。看来你用电子邮件地址替换了user_email。该值不是占位符,而是Vault将令牌与触发身份验证的用户的关联电子邮件相关联的指令:
{
"role_type": "jwt",
"policies": ["project-test"],
"token_explicit_max_ttl": 60,
"user_claim": "user_email",
"bound_claims": {
"project_id": "321",
"ref": "main",
"ref_type": "branch"
}
}
在此之后可能会有另一个问题,但其余的配置是LGTM,这将使您越过当前的阻塞器。