在作业中设置环境时,将GitHub Actions身份验证到Vault失败。

huangapple go评论69阅读模式
英文:

Authenticating github actions to vault fails when an environment is set in the job

问题

I can help you translate the text. Here's the translated content:

遇到问题,如果我为 GitHub Actions 作业指定一个环境,我就无法再使用 JWT 身份验证来访问 Vault。

这是我们设置 Vault 的方式...

module "github-actions" {
  source               = "../../module/github-actions"
  vault_addr           = local.vault_addr
  env                  = local.env
  application_name     = local.application_name
  role                 = format("%s-%s-onboarding", local.env, local.application_name)
  github_oidc_bindings = [
    {
      audience : "https://github.com/organization-name",
      vault_role_name : "vault-role-name",
      bound_subject : "repo:organization-name/repo-name:ref:refs/heads/main",
      vault_policies : [
        "vault-policy-name"
      ]
    }
  ]
}

我正在使用最新版本(2.5.0)的 HashiCorp vault-action,设置如下...

- name: get_secret
  id: get_secret
  uses: hashicorp/vault-action@v2.5.0
  with:
    url: ${{ env.VAULT_ADDR }}
    namespace: ${{ env.VAULT_NAMESPACE }}
    role: ${{ env.VAULT_ROLE }}
    method: jwt
    path: github-actions
    secrets: |
            secret/data/api/path secret_name

这一切都运行正常,操作能够成功验证并获取密钥,直到我在工作流文件中为作业指定一个环境,所以如果我要将以下内容添加到作业定义中...

environment: production

然后我会收到来自 Vault 的以下错误,指示 GitHub 发送的声明与 Vault 配置中设置的 bound_subject 不匹配...

错误:无法检索 Vault 令牌。代码:ERR_NON_2XX_3XX_RESPONSE,
消息:响应代码 400(错误请求),vaultResponse:
{"errors":["验证声明时出错:声明“sub”与任何相关绑定声明值不匹配"]}

所以我的问题是,对于使用环境的作业,bound_claims 应该是什么样的,因为看起来这会根据所使用的环境而变化。我似乎找不到关于这方面的任何文档。

英文:

Having issues where if I specify an environment for a github actions job I can no longer authenticate to vault using JWT auth.

This is how we have vault set up...

module "github-actions" {
  source               = "../../module/github-actions"
  vault_addr           = local.vault_addr
  env                  = local.env
  application_name     = local.application_name
  role                 = format("%s-%s-onboarding", local.env, local.application_name)
  github_oidc_bindings = [
    {
      audience : "https://github.com/organization-name",
      vault_role_name : "vault-role-name",
      bound_subject : "repo:organization-name/repo-name:ref:refs/heads/main",
      vault_policies : [
        "vault-policy-name"
      ]
    }
  ]
}

I'm using the latest (2.5.0) vault-action from hashicorp, which is set up like this...

- name: get_secret
        id: get_secret
        uses: hashicorp/vault-action@v2.5.0
        with:
          url: ${{ env.VAULT_ADDR }}
          namespace: ${{ env.VAULT_NAMESPACE }}
          role: ${{ env.VAULT_ROLE }}
          method: jwt
          path: github-actions
          secrets: |
            secret/data/api/path secret_name

This all works fine and the action is able to authenticate and retrieve the secret, until I specify an environment for the job in the workflow file, so if I was to add the following to the job definition...

environment: production

I then get the following error returned from vault indicating that the claim sent by github doesn't match the bound_subject set in the vault config...

> Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE,
> message: Response code 400 (Bad Request), vaultResponse:
> {"errors":["error validating claims: claim "sub" does not match any
> associated bound claim values"]}

So my question is what should the bound_claims look like for jobs using environments as it appears that this changes depending on the environment used. I don't seem to be able to find any documentation on this at all.

答案1

得分: 0

"Finally figured this out, turns out that if you specify an environment for your jobs, then the subject claim in the jwt/oidc token changes from:

> repo:organization-name/repo-name:ref:refs/heads/main

to...

> repo:organization-name/repo-name:environment:env_name

So I updated the bound_claims in the github-actions module config in vault to include both the repo and the environment (could also use a wildcard if you wanted) and now the auth works."

英文:

Finally figured this out, turns out that if you specify an environment for your jobs, then the subject claim in the jwt/oidc token changes from:

> repo:organization-name/repo-name:ref:refs/heads/main

to...

> repo:organization-name/repo-name:environment:env_name

So I updated the bound_claims in the github-actions module config in vault to include both the repo and the environment (could also use a wildcard if you wanted) and now the auth works.

huangapple
  • 本文由 发表于 2023年5月24日 22:23:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/76324589.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定