[BUG] JWT with GitHub OIDC always returns 403 if the login method is not jwt/
AdamCarballo opened this issue · 1 comments
Vault server version
v1.15.2
vault-action version
v2.7.4
Describe the bug
Trying to use JWT with GitHub OIDC authentication fails (403) no matter what secrets are being accessed.
After some debugging (thank you for mentioning ACTIONS_STEP_DEBUG!) I realized my custom JWT login, placed at jwt/github_actions will not work, as the action will only try to login at jwt/. I can't see any way to override this functionality.
I ensured the vault configuration, auth, role and token are correct by using a troubleshoot step in my GitHub action script:
curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | \
jq "{ jwt: .value, role: \"<ROLE-NAME>\" }" > ./token.json
echo 'GitHub Actions Token Claims'
cat ./token.json | jq -r '.jwt | split(".") | .[1] | @base64d' | jq
echo 'Vault Login Response'
curl -sSLf -X POST -H "Content-Type: application/json" --data @token.json <URL>/v1/auth/jwt/github_actions/login
# Remove the token file when we're done (if we don't fail)
rm ./token.json
Running this code on my action returns a valid token, that I can then use to login into my vault (UI & CLI) and access all the secrets I would expect to access:
Vault Login Response
{"request_id":"XXX","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"hvs.XXX","accessor":"XXX","policies":["default","<MY-POLICY>"],"token_policies":["default","<MY-POLICY>"],"metadata":{"role":"<MY-ROLE>"},"lease_duration":100,"renewable":true,"entity_id":"XXX","token_type":"service","orphan":true,"mfa_requirement":null,"num_uses":0}}
But, the next step is the vault-action, which fails with an error:
failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 403 (Forbidden), vaultResponse: {"errors":["permission denied"]}
To Reproduce
Make sure you create an auth method that contains a subpath after jwt, like jwt/test
workflow.yml
name: My_Name
on:
push:
branches:
- master
jobs:
my_name:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout branch
uses: actions/checkout@v4
- name: Troubleshooting
run: <SHOWN BEFORE, redundant>
- name: Retrieve Secrets
id: retrieve-secrets
uses: hashicorp/vault-action@v2
with:
url: <URL>
role: <ROLE>
method: jwt
secrets: |
kv/test secret | TEST_SECRET
Role JSON config
{
"role_name":"<ROLE>",
"role_type":"jwt",
"bound_audiences": ["https://github.com/AdamCarballo"],
"user_claim":"actor",
"bound_claims_type": "glob",
"bound_claims":{
"sub": "repo:AdamCarballo/*"
},
"policies": ["<POLICY>"],
"ttl": "100"
}
Expected behaviour
I should be able to access my vault with the automatically generated token by the vault-action action, provided I can report which path to lookup.
Log Output
::group::Get Vault Secrets
Get Vault Secrets
##[debug]ID token url is XXX
::add-mask::***
##[debug]Retrieving Vault Token from v1/auth/jwt/login endpoint
::endgroup::
Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 403 (Forbidden), vaultResponse: {"errors":["permission denied"]}
##[debug]Node Action run completed with exit code 1
Additional context
I also tried many other vault-action versions to make sure it wasn't something that was happening only on latest.
Of course, after I submit I found the path option in the source... Closing as this is fixed if path: is set.