This guide will provide examples of errors you may encounter when trying to setup GitLab Vault integrations with HCP Vault, why the error occurs, and how to resolve the issue.
After setting up GitLab CI/CD integration with Vault and trying to run a job, you may run into 400 errors similar to the following:
ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: authenticating Vault client: writing to Vault: api error: status code 400: role "vault-example" could not be found
ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: authenticating Vault client: writing to Vault: api error: status code 400: missing client token
If no namespace is specified in the job script, GitLab/GitLab runner tries to run in the "root" namespace which does not exist in HCP Vault.
Some versions of GitLab/GitLab Runner do not support namespaces in Vault.
HCP Vault requires all CLI and API requests go to a namespace (see this article for more details). You'll need to export the namespace for HCP vault via the export command or via GitLab CI/CD variables (only available with GitLab/GitLab Runner versions 14.9 or higher).
In your job script, export the namespace for HCP Vault:
read_secrets: script: # Vault's address can be provided here or as CI/CD variable - export VAULT_ADDR=http://vault.example.com:8200
# Vault's namespace can be provided here or as a CI/CD variable
- export VAULT_NAMESPACE=admin
GitLab CI/CD variables
GitLab supports CI/CD environment variables to be used in jobs. In order to be able to use
VAULT_NAMESPACE CI/CD variable, please make sure that you are using the GitLab/GitLab Runner version 14.9 or higher.
read_secrets: script:- echo $VAULT_ADDR
- echo $VAULT_TOKEN
- echo $VAULT_NAMESPACE
Additional Information and Resources
See GitLab's guide to learn how to authenticate and reading secrets with HashiCorp Vault.
See GitLab's guide to learn how to use external secrets in CI.