[BUG] Exception hit during verify_github_token: The token is not yet valid (iat)

Question

[BUG] Exception hit during verify_github_token: The token is not yet valid (iat)

Opened this issue 8 months ago · 0 comments

spdracers commented 8 months ago

Vault server version

v1.14.1

vault-action version

v2.7.4

Describe the bug

We ran into a scenario where we believe clock drift between the github runner and the vault server were out of sync; specifically the runner being ahead of the vault. This resulted in authentication failures.

To Reproduce

Set the issued at (IAT) to a time farther in the future.

Expected behavior

Error free authentication.

Log Output

Exception hit during verify_github_token: The token is not yet valid (iat)

Additional context

Github recommends setting the issued at (iat) to 60 seconds in the past to better handle this scenario, however the action currently uses now().

https://docs.github.com/en/enterprise-server@3.12/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app

For our Hashi friends, please reference ticket 144645 since we weren't able to have a deeper conversation around https://developer.hashicorp.com/vault/api-docs/auth/jwt#clock_skew_leeway.