Introduction
In v1.16. x and below, setting the parameter bound_audiences was optional when registering a JWT role in the JWT auth method plugin (at least one of bound_audiences, bound_subject, bound_claims, or token_bound_cidrs is required). However, in v1.17.x and above, bound_audiences is mandatory if the JWT contains an audience (which is often the case) and must match at least one of the JWT's associated aud claims.
Note: HCP Vault Dedicated clusters on versions lower than 1.17.x will be automatically upgraded to the latest version of Vault.
Problem
On JWT login you may receive an error similar to the one below.
Error: audience claim found in JWT but no audiences bound to the role
Solution
Set bound_audiences on the JWT role
Sample payload
{
"bound_audiences": "https://myco.test",
"user_claim": "https://vault/user"
}
Sample request
curl \
--header "X-Vault-Token: ..." \
--header "X-Vault-Namespace: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
Related documentation references: