docker+machine cloud permissions or middleware
Problem to solve
AWS (or any other cloud provider) IAM permission assignment based on the context of the GitLab runner's job environment
Target audience
Release Manager, Security Analyst, Devops Engineer, Development Lead
Further details
We are working through a number of issues around the use of AWS IAM roles on gitlab runners. One of the things that we consistently run up against is the AWS permissions that we provide to our gitlab runners. It is somewhat limiting to only be able to have one IAM role configured for the docker+machine
executor. It would be amazing to have some way to assign IAM roles based on the job environment variables (secret or otherwise) or to change the arguments to be passed to the docker-machine
command.
Proposal
One such method would be a config middleware repository containing scripts that could change the runtime arguments of the docker-machine
call to change things such as network, IAM role and other arguments. This would also require that the job can flag for a debug mode to see the resulting docker-machine
options applied to the job so that debugging of such middleware scripts can be done.
What does success look like, and how can we measure that?
This request is purely looking to make the scale-able cloud based runner permissions more dynamic to allow for more cost saving and more security in the permissions assigned to jobs.