support Google Cloud secrets from projects other than the one containing the WIF pool
-
Please check this box if this contribution uses AI-generated content as outlined in the GitLab DCO & CLA
What does this MR do?
As noted in #37487, there is currently no way to reference a Google secret from a project other than the one containing the WIF pool despite Google supporting this.
Extend the interpretation of gcp_secret_manager:name:
to allow
fully-qualified secret resource names.
If the secret name matches the pattern projects/*/secrets/*
, we use it
as the full resource name otherwise we fall back to the existing
behaviour of interpolating the project id used to construct the WIF
audience.
This is my first MR and so I'm unsure of where/how I update the documentation relating to this feature.
Why was this MR needed?
We are heavy users of Google Cloud and, following Google's recommended practice, we have a single WIF pool representing GitLab. We have multiple Google projects, however, and we need to access secrets which live in Google projects other than the one containing the WIF pool
What's the best way to test this MR?
See #37487 but, in brief:
- Create a WIF Pool in Google Project A following https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html
- Create a Google Secret in Project B.
- Grant the appropriate
principalSet://...
IAM principal access to the secret via an IAM policy. - Attempt to configure Google Cloud Secret Manager integration as per https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html but use
projects/{project-b-id}/secrets/{secret-id}
as the secret name.
For example, in .gitlab-ci.yml
:
# Project A is project 1234565789. Project B is 987654321
#
# Secret is located at projects/987654321/secrets/my-secret/versions/1 and appropriate
# IAM permissions have been granted to a principalSet://... IAM principal corresponding
# to this CI job.
build:
id_tokens:
GCP_ID_TOKEN:
aud: //iam.googleapis.com/projects/1234565789/locations/global/workloadIdentityPools/gitlab/providers/gitlab
secrets:
SUPER_SECRET:
gcp_secret_manager:
name: projects/987654321/secrets/my-secret
version: 1
token: $GCP_ID_TOKEN
variables:
GCP_PROJECT_NUMBER: "1234565789"
GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID: gitlab
GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID: gitlab
script:
- echo $SUPER_SECRET