Generate JWT for authentication and provide it to CI jobs (#207125) · Issues · GitLab.org / GitLab

Generate JWT for authentication and provide it to CI jobs

Problem to solve

We want to support existing Vault users with a lightweight integration using JWT. This will address the needs of those customers that already have Vault installed and want to use it to provide secrets to GitLab CI. It will work for both self-managed and GitLab.com.

Intended users

Further details

Original proposal - #199737 (comment 282657457)
PoC - !25331 (closed)

Proposal

Generate JWT and provide it to CI jobs so that they can use it to authenticate to 3rd party services that support JWT Auth method (e.g. https://www.vaultproject.io/docs/auth/jwt/).

The JWT should contain any relevant information that may be used by the other party to verify the authentication.

Example payload:

{
  "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558", # Unique identifier for this token
  "iss": "gitlab.example.com",                   # Issuer, the domain of your GitLab instance
  "iat": 1585710286,                             # Issued at
  "nbf": 1585798372,                             # Not valid before
  "exp": 1585713886,                             # Expire at
  "sub": "22",                                   # Subject (project id)
  "namespace_id": "1",
  "namespace_path": "mygroup",
  "project_id": "22",
  "project_path": "mygroup/myproject",
  "user_id": "42",
  "user_login": "myuser",
  "user_email": "[email protected]"
  "pipeline_id": "1212",
  "job_id": "1212",
  "ref": "auto-deploy-2020-04-01",               # Git ref for this job
  "ref_type": "branch",                          # Git ref type, branch or tag
  "ref_protected": "true"                        # true if this git ref is protected, false otherwise
}

Documentation

What does success look like, and how can we measure that?

Users are able to use their own Vault with GitLab

What is the type of buyer?

Community Edition

Links / references

Please use this anchor for documentation: https://docs.gitlab.com/ee/#hashicorp-vault-jwt-authentication

### Problem to solve

### Intended users

<!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later.

* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager)
* [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager)
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
* [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer)
* [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer)
* [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)
* [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst)

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ -->

* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)

### Further details

* Original proposal - https://gitlab.com/gitlab-org/gitlab/-/issues/199737#note_282657457
* PoC - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25331

### Proposal

Generate JWT and provide it to CI jobs so that they can use it to authenticate to 3rd party services that support JWT Auth method (e.g. https://www.vaultproject.io/docs/auth/jwt/).

The JWT should contain any relevant information that may be used by the other party to verify the authentication.

Example payload:
```ruby
{
  "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558", # Unique identifier for this token
  "iss": "gitlab.example.com",                   # Issuer, the domain of your GitLab instance
  "iat": 1585710286,                             # Issued at
  "nbf": 1585798372,                             # Not valid before
  "exp": 1585713886,                             # Expire at
  "sub": "22",                                   # Subject (project id)
  "namespace_id": "1",
  "namespace_path": "mygroup",
  "project_id": "22",
  "project_path": "mygroup/myproject",
  "user_id": "42",
  "user_login": "myuser",
  "user_email": "myuser@example.com"
  "pipeline_id": "1212",
  "job_id": "1212",
  "ref": "auto-deploy-2020-04-01",               # Git ref for this job
  "ref_type": "branch",                          # Git ref type, branch or tag
  "ref_protected": "true"                        # true if this git ref is protected, false otherwise
}         
```

### Documentation

### What does success look like, and how can we measure that?

* Users are able to use their own Vault with GitLab

### What is the type of buyer?

* Community Edition

### Links / references