我正在配置 Gitlab CI 管道,并且需要从我的 Hashicorp Vault 中检索机密。我确实配置为 Gitlab Docs - Hashicorp Vault KV-V2。
我在 Hashicorp Vault 上有一个附加到此 JWT 身份验证后端的角色,我想知道我必须在该角色使用的 Vault 策略上编写所需的权限,因为使用实际策略,当管道运行时我收到错误:
Resolving secrets
Resolving secret "VAULT_SECRET_ID"...
Using "vault" secret resolver...
ERROR: Job failed (system failure): resolving secrets: reading secret: reading from Vault: api error: status code 403: 1 error occurred:
* permission denied
这是我的 Vault JWT 身份验证配置(通过 Terraform 配置)。
data "vault_policy_document" "gitlab_jwt" {
rule {
capabilities = ["create", "read"]
path = "auth/jwt/gitlab"
}
rule {
capabilities = ["read"]
path = "auth/jwt/gitlab/role/gitlab"
}
rule {
capabilities = ["read"]
path = "devops/example/secret"
}
}
resource "vault_policy" "gitlab_jwt" {
name = "vault-gitlab-jwt"
policy = data.vault_policy_document.gitlab_jwt.hcl
}
resource "vault_jwt_auth_backend" "gitlab" {
description = "Gitlab JWT authentication"
path = "jwt/gitlab"
bound_issuer = "https://gitlab.com"
jwks_url = "https://gitlab.com/-/jwks"
}
resource "vault_jwt_auth_backend_role" "gitlab" {
backend = vault_jwt_auth_backend.gitlab.path
role_name = "gitlab"
role_type = "jwt"
token_no_default_policy = true
token_explicit_max_ttl = 60
token_policies = [vault_policy.gitlab_jwt.name]
user_claim = "user_login"
bound_claims_type = "glob"
bound_claims = {
project_path = "example/*"
}
}
这是我的
.gitlab-ci.yml
文件:
variables:
VAULT_SERVER_URL: "https://vault.example.com"
VAULT_AUTH_PATH: "jwt/gitlab"
VAULT_AUTH_ROLE: "gitlab"
VAULT_FORMAT: "json"
vault:
id_tokens:
VAULT_ID_TOKEN:
aud: $VAULT_SERVER_URL
secrets:
VAULT_ROLE_ID:
vault: example/secret/key@devops
file: false
VAULT_SECRET_ID:
vault: example/secret/key@devops
file: false
...
我知道问题出在附加到 JWT 身份验证角色的 Vault 策略上,因为当我更改根策略的策略并且它运行良好时:
data "vault_policy_document" "gitlab_jwt" {
rule {
capabilities = ["create", "read", "update", "delete", "patch"]
path = "*"
}
}
基于这些 Vault 配置,我如何编写安全策略以允许来自 Gitlab 的 JWT 身份验证而不使用角色的根策略?
我会这样尝试:
resource "vault_policy" "gitlab_jwt" {
name = "vault-gitlab-jwt"
policy = <<EOT
path "devops/example/secret/*" {
capabilities = ["read"]
}
EOT
}
}
resource "vault_jwt_auth_backend" "gitlab" {
description = "Gitlab JWT authentication"
path = "jwt"
bound_issuer = "https://gitlab.com"
jwks_url = "https://gitlab.com/-/jwks"
}
resource "vault_jwt_auth_backend_role" "gitlab" {
backend = vault_jwt_auth_backend.gitlab.path
role_name = "gitlab"
role_type = "jwt"
token_max_ttl = 60
token_policies = [vault_policy.gitlab_jwt.name]
user_claim = "user_login"
bound_claims_type = "glob"
bound_claims = {
"namespace_path": "example/*"
}
也许你很久以前就已经解决了:)那么抱歉
管道中的受众应该是 gitlab。不是保险库 URL。
另请记住,如果您使用 HCP Vault,则需要额外的变量:
导出 VAULT_NAMESPACE=admin
我使用自托管 Vault 和 HCP 成功配置了 Gitlab。