Skip to content

support Google Cloud secrets from projects other than the one containing the WIF pool

Rich Wareham requested to merge rjw57/gitlab-runner:37487-gcp-secrets-from-different-project into main
  • Please check this box if this contribution uses AI-generated content as outlined in the GitLab DCO & CLA

What does this MR do?

As noted in #37487, there is currently no way to reference a Google secret from a project other than the one containing the WIF pool despite Google supporting this.

Extend the interpretation of gcp_secret_manager:name: to allow fully-qualified secret resource names.

If the secret name matches the pattern projects/*/secrets/*, we use it as the full resource name otherwise we fall back to the existing behaviour of interpolating the project id used to construct the WIF audience.

This is my first MR and so I'm unsure of where/how I update the documentation relating to this feature.

Why was this MR needed?

We are heavy users of Google Cloud and, following Google's recommended practice, we have a single WIF pool representing GitLab. We have multiple Google projects, however, and we need to access secrets which live in Google projects other than the one containing the WIF pool

What's the best way to test this MR?

See #37487 but, in brief:

  1. Create a WIF Pool in Google Project A following https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html
  2. Create a Google Secret in Project B.
  3. Grant the appropriate principalSet://... IAM principal access to the secret via an IAM policy.
  4. Attempt to configure Google Cloud Secret Manager integration as per https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html but use projects/{project-b-id}/secrets/{secret-id} as the secret name.

For example, in .gitlab-ci.yml:

# Project A is project 1234565789. Project B is 987654321
#
# Secret is located at projects/987654321/secrets/my-secret/versions/1 and appropriate
# IAM permissions have been granted to a principalSet://... IAM principal corresponding
# to this CI job.
build:
  id_tokens:
    GCP_ID_TOKEN:
      aud: //iam.googleapis.com/projects/1234565789/locations/global/workloadIdentityPools/gitlab/providers/gitlab
  secrets:
    SUPER_SECRET:
      gcp_secret_manager:
        name: projects/987654321/secrets/my-secret
        version: 1
      token: $GCP_ID_TOKEN
  variables:
    GCP_PROJECT_NUMBER: "1234565789"
    GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID: gitlab
    GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID: gitlab
  script:
    - echo $SUPER_SECRET

What are the relevant issue numbers?

Edited by Rich Wareham

Merge request reports