Skip to content

gcp_secret_manager matching is incorrect

Summary

Using the FQDN for secrets results in an error due to how we are matching the string.

Steps to reproduce

Use the following .gitlab-ci.yml:

.gitlab-ci.yml 
job_using_gcp_sm:
  id_tokens:
    GCP_ID_TOKEN:
      # `aud` must match the audience defined in the WIF Identity Pool.
      aud: https://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID}
  secrets:
    SECRET_FROM_GCP:
      gcp_secret_manager:
        name: "projects/${GCP_PROJECT_NUMBER}/secrets/super-secret-key"  # This is the name of the secret defined in GCP Secret Manager
        version: 1               # optional: default to `latest`.
      token: $GCP_ID_TOKEN
  script:
    - echo "$SECRET_FROM_GCP"
    - cat "$SECRET_FROM_GCP"

Actual behavior

The error is returned saying the format is incorrect

Expected behavior

This is a success

Relevant logs and/or screenshots

ERROR: Job failed (system failure): resolving secrets: failed to get secret: rpc error: code = InvalidArgument desc = The provided Secret ID [projects/69742820581/secrets/projects/69742820581/secrets/super-secret-key/versions/1] does not match the expected format [projects/*/secrets/*/versions/*]

Environment description

This happens on GitLab.com using 17.0 GitLab-hosted runners.

Possible fixes

This line https://gitlab.com/gitlab-org/gitlab-runner/-/blob/main/helpers/gcp_secret_manager/service/gcp_secret_manager.go#L120 seems to use filepath.Match which duplicates the string into projects/69742820581/secrets/projects/69742820581/secrets/super-secret-key/versions/1.

From Tomasz:

It jumps to the line 126 and injects the "full URI" to the name part of the built URI. Causing the projects/[0-9] part to be repeated twice in the final secret ID

Another thing to keep in mind is that the test here actually tests this functionality - however it doesn't work in reality - https://gitlab.com/gitlab-org/gitlab-runner/-/blob/0636745224374b8390d19d667c08b6a699fb1cd9/helpers/gcp_secret_manager/service/gcp_secret_manager_test.go#L226

Edited by Filip Aleksic