gcp_secret_manager matching is incorrect
Summary
Using the FQDN for secrets results in an error due to how we are matching the string.
Steps to reproduce
Use the following .gitlab-ci.yml
:
.gitlab-ci.yml
job_using_gcp_sm:
id_tokens:
GCP_ID_TOKEN:
# `aud` must match the audience defined in the WIF Identity Pool.
aud: https://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID}
secrets:
SECRET_FROM_GCP:
gcp_secret_manager:
name: "projects/${GCP_PROJECT_NUMBER}/secrets/super-secret-key" # This is the name of the secret defined in GCP Secret Manager
version: 1 # optional: default to `latest`.
token: $GCP_ID_TOKEN
script:
- echo "$SECRET_FROM_GCP"
- cat "$SECRET_FROM_GCP"
Actual behavior
The error is returned saying the format is incorrect
Expected behavior
This is a success
Relevant logs and/or screenshots
ERROR: Job failed (system failure): resolving secrets: failed to get secret: rpc error: code = InvalidArgument desc = The provided Secret ID [projects/69742820581/secrets/projects/69742820581/secrets/super-secret-key/versions/1] does not match the expected format [projects/*/secrets/*/versions/*]
Environment description
This happens on GitLab.com using 17.0 GitLab-hosted runners.
Possible fixes
This line https://gitlab.com/gitlab-org/gitlab-runner/-/blob/main/helpers/gcp_secret_manager/service/gcp_secret_manager.go#L120 seems to use filepath.Match
which duplicates the string into projects/69742820581/secrets/projects/69742820581/secrets/super-secret-key/versions/1
.
From Tomasz:
It jumps to the line 126 and injects the "full URI" to the name part of the built URI. Causing the projects/[0-9] part to be repeated twice in the final secret ID
Another thing to keep in mind is that the test here actually tests this functionality - however it doesn't work in reality - https://gitlab.com/gitlab-org/gitlab-runner/-/blob/0636745224374b8390d19d667c08b6a699fb1cd9/helpers/gcp_secret_manager/service/gcp_secret_manager_test.go#L226