Generate JWT for authentication and provide it to CI jobs
Problem to solve
We want to support existing Vault users with a lightweight integration using JWT. This will address the needs of those customers that already have Vault installed and want to use it to provide secrets to GitLab CI. It will work for both self-managed and GitLab.com.
Intended users
Further details
- Original proposal - #199737 (comment 282657457)
- PoC - !25331 (closed)
Proposal
Generate JWT and provide it to CI jobs so that they can use it to authenticate to 3rd party services that support JWT Auth method (e.g. https://www.vaultproject.io/docs/auth/jwt/).
The JWT should contain any relevant information that may be used by the other party to verify the authentication.
Example payload:
{
"jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558", # Unique identifier for this token
"iss": "gitlab.example.com", # Issuer, the domain of your GitLab instance
"iat": 1585710286, # Issued at
"nbf": 1585798372, # Not valid before
"exp": 1585713886, # Expire at
"sub": "22", # Subject (project id)
"namespace_id": "1",
"namespace_path": "mygroup",
"project_id": "22",
"project_path": "mygroup/myproject",
"user_id": "42",
"user_login": "myuser",
"user_email": "myuser@example.com"
"pipeline_id": "1212",
"job_id": "1212",
"ref": "auto-deploy-2020-04-01", # Git ref for this job
"ref_type": "branch", # Git ref type, branch or tag
"ref_protected": "true" # true if this git ref is protected, false otherwise
} Documentation
What does success look like, and how can we measure that?
- Users are able to use their own Vault with GitLab
What is the type of buyer?
- Community Edition
Links / references
Please use this anchor for documentation: https://docs.gitlab.com/ee/#hashicorp-vault-jwt-authentication