Skip to content

Support AWS secrets manager as alternative to Vault

Release notes

You could connect from GitLab CI/CD to cloud providers using environment variables. This approach works fine for many use cases but does not scale well if you need advanced permissions management or would prefer a signed, short-lived, contextualized connection to your cloud provider. GitLab shipped initial support for JWT token-based connection in version 12.10. The current development builds on the already well known CI_JOB_JWT token and introduced a CI_JOB_JWT_V2 variable that can be used to connect to AWS, GCP, Vault and likely many other cloud services.

The new variable is automatically injected into your pipeline, but is not backwards compatible with the current CI_JOB_JWT approach. As a result, together with the V2 release, we introduced a V1 version. Until GitLab 15.0 the CI_JOB_JWT will work without any changes. In GitLab 15.0 it will be changed to point to the V1 version, and the V1 version will remain in the product until GitLab 15.6 when both V1 and V2 will be removed and only the CI_JOB_JWT token will remain with the new value.

Problem to solve

We plan to implement Vault as a secrets store bundled with GitLab, but some customers will prefer to use an AWS-provided service. It will be possible to use our provided Vault with GKE (and any generic Kubernetes cluster), but they also provide their own first-party capability.

Intended users

Many developer and operations users will interact with this feature, but the primary integrator will be security operations teams.

Further details

This will provide more flexibility to teams, ensuring that GitLab is valuable even when not using our bundled secrets solution.

Proposal

We should allow for configuration to select a different secrets provider apart from the default provided Vault one. This should be implemented in a way that

Permissions and Security

Implementing this feature will require a comprehensive security evaluation by @gitlab-com/gl-security/appsec. The goal here is to improve security available both to GitLab itself, for CI/CD pipelines, and for users who want to store secrets in general associated with projects under development in GitLab.

Documentation

Testing

What does success look like, and how can we measure that?

Links / references

Edited by 🤖 GitLab Bot 🤖