Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 400 (Bad Request), vaultResponse: {"errors":["could not load configuration"]}[BUG] #560

Open
ragh2711 opened this issue Jul 26, 2024 · 1 comment
Open

Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 400 (Bad Request), vaultResponse: {"errors":["could not load configuration"]}[BUG] #560

ragh2711 opened this issue Jul 26, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@ragh2711
Copy link

Vault server version

v1.16.2

vault-action version

v3

Describe the bug

JWT token is not working on our new vault setup and we are getting the below error

Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 400 (Bad Request), vaultResponse: {"errors":["could not load configuration"]}[BUG]

Please find the snip of the workflow
env:
VAULT_ADDR: "https://secrets.********.net"
VAULT_NAMESPACE: "admin/*************"
VAULT_ROLE: " kpt-platform-testqa-wus3-rg_rw_role"

- name: Pull HC Vault secrets
  uses: hashicorp/vault-action@v3 
  id: secrets 
  with: 
    method: jwt 
    url: ${{env.VAULT_ADDR}}
    namespace: ${{env.VAULT_NAMESPACE}}
    role: ${{env.VAULT_ROLE}}
    secrets: |
        ********************/data/testqa CLIENT_ID | ARM_CLIENT_ID ;
       ********************/data/testqa CLIENT_SECRET | ARM_CLIENT_SECRET ;
        ********************/data/testqa TENANT_ID | ARM_TENANT_ID ;
       ********************/data/testqa SUBSCRIPTION_ID | ARM_SUBSCRIPTION_ID ;
       ********************/data/testqa TF_TOKEN | TF_CLOUD_TOKEN

To Reproduce

The yaml of the vault-action step, with any sensitive information masked or removed.

Expected behavior

A clear and concise description of what you expected to happen.

Log Output

For the most verbose logs, add a secret called
ACTIONS_STEP_DEBUG
with the value true. Then, re-run the workflow if possible and post the raw
logs for the step here with any sensitive information masked or removed.

Additional context

Add any other context about the problem here.
@ragh2711 ragh2711 added the bug Something isn't working label Jul 26, 2024
@fairclothjm
Copy link
Contributor

@ragh2711 Hello, I am sorry you are have trouble!

Vault 1.16.2 introduced a backwards incompatible change that requires that the bound_audiences parameter of "jwt" roles must be set and must match at least one of the JWT's associated aud claims, if there are any.

Since the behavior change was a breaking change, we reverted the change in Vault versions 1.15.12 and 1.16.6 and later. However, the behavior change will go into effect in Vault 1.17.

See https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.16.x#jwt-auth-login-requires-bound-audiences-on-the-role

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fairclothjm @ragh2711