pipeline JWT token

Please read this!

Before opening a new issue, make sure to search for keywords in the issues filtered by the "feature proposal" label:

For the Community Edition issue tracker:

• https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name%5B%5D=feature+proposal

For the Enterprise Edition issue tracker:

• https://gitlab.com/gitlab-org/gitlab-ee/issues?label_name%5B%5D=feature+proposal

and verify the issue you're about to submit isn't a duplicate.

Please remove this notice if you're confident your issue isn't a duplicate.

---

Description

Currently to authenticate to remote services keys must be stored securely and must not be accidentally leaked. This also prevents MR build jobs from accessing the secret keys safely.

Proposal

Generate JWT token that asserts:

{
    "pipeline": "https://gitlab.com/gitlab-org/gitlab-ce/pipelines/10485235",
    "job": "https://gitlab.com/gitlab-org/gitlab-ce/-/jobs/25026971",
    "started": "2017-08-02T10:54:30.391668"
}

Pipelines can then use this assertion to authenticate to services that support it. GitLab can provide the public JWT key somewhere like https://gitlab.com/.pipeline-jwt

Links / references

Documentation blurb

Overview

What is it? Why should someone use this feature? Allow pipelines to authenticate to remote services What is the underlying (business) problem? Currently to authenticate to remote services keys must be stored securely and must not be accidentally leaked. How do you use this feature? grab an environment variable with GITLAB_PIPELINE_TOKEN

Use cases

3rd parties such as Source Labs would need to add support.

Feature checklist

Make sure these are completed before closing the issue, with a link to the relevant commit.

• Feature assurance
• Documentation
• Added to features.yml