英文:
Authenticating github actions to vault fails when an environment is set in the job
问题
I can help you translate the text. Here's the translated content:
遇到问题,如果我为 GitHub Actions 作业指定一个环境,我就无法再使用 JWT 身份验证来访问 Vault。
这是我们设置 Vault 的方式...
module "github-actions" {
source = "../../module/github-actions"
vault_addr = local.vault_addr
env = local.env
application_name = local.application_name
role = format("%s-%s-onboarding", local.env, local.application_name)
github_oidc_bindings = [
{
audience : "https://github.com/organization-name",
vault_role_name : "vault-role-name",
bound_subject : "repo:organization-name/repo-name:ref:refs/heads/main",
vault_policies : [
"vault-policy-name"
]
}
]
}
我正在使用最新版本(2.5.0)的 HashiCorp vault-action,设置如下...
- name: get_secret
id: get_secret
uses: hashicorp/vault-action@v2.5.0
with:
url: ${{ env.VAULT_ADDR }}
namespace: ${{ env.VAULT_NAMESPACE }}
role: ${{ env.VAULT_ROLE }}
method: jwt
path: github-actions
secrets: |
secret/data/api/path secret_name
这一切都运行正常,操作能够成功验证并获取密钥,直到我在工作流文件中为作业指定一个环境,所以如果我要将以下内容添加到作业定义中...
environment: production
然后我会收到来自 Vault 的以下错误,指示 GitHub 发送的声明与 Vault 配置中设置的 bound_subject 不匹配...
错误:无法检索 Vault 令牌。代码:ERR_NON_2XX_3XX_RESPONSE,
消息:响应代码 400(错误请求),vaultResponse:
{"errors":["验证声明时出错:声明“sub”与任何相关绑定声明值不匹配"]}
所以我的问题是,对于使用环境的作业,bound_claims 应该是什么样的,因为看起来这会根据所使用的环境而变化。我似乎找不到关于这方面的任何文档。
英文:
Having issues where if I specify an environment for a github actions job I can no longer authenticate to vault using JWT auth.
This is how we have vault set up...
module "github-actions" {
source = "../../module/github-actions"
vault_addr = local.vault_addr
env = local.env
application_name = local.application_name
role = format("%s-%s-onboarding", local.env, local.application_name)
github_oidc_bindings = [
{
audience : "https://github.com/organization-name",
vault_role_name : "vault-role-name",
bound_subject : "repo:organization-name/repo-name:ref:refs/heads/main",
vault_policies : [
"vault-policy-name"
]
}
]
}
I'm using the latest (2.5.0) vault-action from hashicorp, which is set up like this...
- name: get_secret
id: get_secret
uses: hashicorp/vault-action@v2.5.0
with:
url: ${{ env.VAULT_ADDR }}
namespace: ${{ env.VAULT_NAMESPACE }}
role: ${{ env.VAULT_ROLE }}
method: jwt
path: github-actions
secrets: |
secret/data/api/path secret_name
This all works fine and the action is able to authenticate and retrieve the secret, until I specify an environment for the job in the workflow file, so if I was to add the following to the job definition...
environment: production
I then get the following error returned from vault indicating that the claim sent by github doesn't match the bound_subject set in the vault config...
> Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE,
> message: Response code 400 (Bad Request), vaultResponse:
> {"errors":["error validating claims: claim "sub" does not match any
> associated bound claim values"]}
So my question is what should the bound_claims look like for jobs using environments as it appears that this changes depending on the environment used. I don't seem to be able to find any documentation on this at all.
答案1
得分: 0
"Finally figured this out, turns out that if you specify an environment for your jobs, then the subject claim in the jwt/oidc token changes from:
> repo:organization-name/repo-name:ref:refs/heads/main
to...
> repo:organization-name/repo-name:environment:env_name
So I updated the bound_claims in the github-actions module config in vault to include both the repo and the environment (could also use a wildcard if you wanted) and now the auth works."
英文:
Finally figured this out, turns out that if you specify an environment for your jobs, then the subject claim in the jwt/oidc token changes from:
> repo:organization-name/repo-name:ref:refs/heads/main
to...
> repo:organization-name/repo-name:environment:env_name
So I updated the bound_claims in the github-actions module config in vault to include both the repo and the environment (could also use a wildcard if you wanted) and now the auth works.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论