Support Vault EE Namespaces with JWT via YAML configuration

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem to solve

GitHub currently supports namespace specifications for Vault Enterprise. GitLab needs to be able to expand the BYOV instance to support Namespaces in Vault

https://github.com/marketplace/actions/vault-secrets#vault-enterprise-features

Proposal

Update the detailed syntax to support new optional namespace parameter, for example:

  secrets:
    SSL_PRIVATE_KEY:
      vault:
        namespace: infrastructure
        engine:
          name: kv-v2
          path: aws
        path: gitlab-test/ssl
        field: private-key

and pass it to Runner to use when authenticating / reading secrets.

Reference documentation: https://www.vaultproject.io/docs/enterprise/namespaces.

Additional notes

Within !80590 (merged), support for Vault EE Namespaces with JWT is already in place via a CI variable.

This issue will implement a YAML configuration to support Vault EE Namespaces with JWT.

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖