JWT auth with Vault KMS doesn't work #1479
Description
Expected Behavior
When defining Vault as the KMS we should be able to use JWT Auth as an OIDC login in Vault when signing images and taskruns, by only defining the following values in the Chains ConfigMap:
...
signers.kms.auth.oidc.path: jwt
signers.kms.auth.oidc.role: tekton-chains
...
Actual Behavior
The only way to use Vault is to define the VAULT_TOKEN with signers.kms.auth.token. When trying to use the OIDC login, the Chains controller pod is complaining about not finding the Vault token with the following log:
{"level":"info","ts":"2025-11-27T12:31:46.516Z","logger":"watcher","caller":"controller/controller.go:548","msg":"Reconcile succeeded","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kin
d":"tekton.dev.TaskRun","knative.dev/traceid":"3e006724-a6b3-4a3e-9d51-42809f7994fd","knative.dev/key":"app/git-clone-run-r-7f5d9","duration":0.000129333}
2025/11/27 12:31:48 VAULT_TOKEN is not set, trying to read token from file at path ~/.vault-token
{"level":"warn","ts":"2025-11-27T12:31:48.538Z","logger":"watcher","caller":"chains/signing.go:79","msg":"error configuring kms signer with config {hashivault://supply-chain {http://vault.vault.svc.cluster.local:8200 {jwt tekton-chains}
{ }}}: read .vault-token file: open /home/nonroot/.vault-token: no such file or directory","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid
":"469b1b29-4a21-4ad0-9837-5501c4f4b497","knative.dev/key":"app/git-clone-run-r-7f5d9"}
Steps to Reproduce the Problem
We've been following similar steps as the tutorial in https://tekton.dev/docs/chains/hashicorp-integration-tutorial/, but configuring JWT auth method in Vault and configuring Chains to use it.
- Deploy Vault in a Kind Kubernetes cluster
- Deploy Tekton Pipelines and Tekton Chains in the same K8s cluster
- Create successfully a Vault transit key called
supply-chainwith the cosign command - Configure Vault JWT auth method and auth method role (previous Vault policy defined) ```
vault write auth/jwt/role/tekton-chains
role_type="jwt"
bound_audiences="$K8S_AUDIENCE"
user_claim="sub"
bound_subject="system:serviceaccount:tekton-chains:tekton-chains-controller"
policies="tekton-chains-policy"
ttl="1h" - Configure Tekton Chains configmap with OIDC params instead of using the VAULT_TOKEN:
signers.kms.auth.oidc.path: jwt signers.kms.auth.oidc.role: tekton-chains - Deploy an example TaskRun to build an image with Kaniko and signing it.
The result is that the image is only signed with the Vault key if VAULT_TOKEN is used in Chains and not the JWT auth method, as the doc says it can be done.
Additional Info
-
Kubernetes version:
Output of
kubectl version:Client Version: v1.34.1 Kustomize Version: v5.7.1 Server Version: v1.34.0 -
Tekton Pipeline version:
Output of
tkn versionorkubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'
Client version: 0.42.0
Chains version: v0.26.0
Pipeline version: v1.6.0
Dashboard version: v0.63.1
Operator version: v0.77.0
Tekton Chains is configured as follows:
artifacts.taskrun.format: slsa/v1
artifacts.taskrun.storage: oci
artifacts.taskrun.signer: kms
artifacts.pipelinerun.signer: kms
artifacts.oci.signer: kms
transparency.enabled: "true"
signers.kms.kmsref: hashivault://supply-chain
signers.kms.auth.address: http://vault.vault.svc.cluster.local:8200
signers.kms.auth.oidc.path: jwt
signers.kms.auth.oidc.role: tekton-chains
And Vault is configured with JWT auth method:
$ vault read auth/jwt/role/tekton-chains
Key Value
--- -----
allowed_redirect_uris <nil>
bound_audiences [https://kubernetes.default.svc.cluster.local]
bound_claims <nil>
bound_claims_type string
bound_subject system:serviceaccount:tekton-chains:tekton-chains-controller
claim_mappings <nil>
clock_skew_leeway 0
expiration_leeway 0
groups_claim n/a
max_age 0
not_before_leeway 0
oidc_scopes <nil>
policies [tekton-chains-policy]
role_type jwt
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [tekton-chains-policy]
token_ttl 1h
token_type default
ttl 1h
user_claim sub
user_claim_json_pointer false
verbose_oidc_logging false
Vault JWT auth method is working when testing it:
$ curl -k -s $VAULT_ADDR/v1/auth/jwt/login -d "{\"role\": \"tekton-chains\", \"jwt\": \"$TOKEN_SA\"}" | jq
{
"request_id": "643920b6-52c3-306d-2631-8e7a26b770b5",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "hvs.CAESI....",
"policies": [
"default",
"tekton-chains-policy"
],
"token_policies": [
"default",
"tekton-chains-policy"
],
"metadata": {
"role": "tekton-chains"
},
"lease_duration": 3600,
"renewable": true,
"entity_id": "8f568f84-67bc-46ab-4fcb-1cd8879d2f73",
"token_type": "service",
"orphan": true,
"mfa_requirement": null,
"num_uses": 0
},
"mount_type": ""
}