Integrate GitLab with Vault for ephemeral access tokens
Release notes
The Problem: There are no ephemeral API keys; only static ones. This means that when an API key is leaked it is a security issue that can persist for a long time until the leaked key is discovered.
The solution: Implement a way to have ephemeral API keys that are not necessarily linked to a real user.
Currently the only way to have an api key is to create a user and generated it from it's profile.
Vault (https://www.vaultproject.io/) offers many ways to secure secrets, and with AppRole
(https://www.vaultproject.io/docs/auth/approle) an admin can assign a role to an app or a machine to a specific application, in this case that would be gitlab.
Vault would create an ephemeral API key with a configurable expiration time (usually short) and even revoke a key when needed. This would help in automating CI/CD process by adding a very useful security layer without a huge cost in security management.
Problem to solve
I currently need to automate the creation of project and branches, but also manage security for those created projects.
One way of doing this, as of writing this request, is to create a user and generate a static API personal access token, then add it as a masked variable and use it in CI/CD. Rotating this key/token is painful and error prone. Automating this process would improve security a lot.
Intended users
User experience goal
The user should be able to easily setup gitlab permissions/roles in Vault to grant access to an automated process (internal/external script/CI-CD) to any available gitlab API, but in my specific case to be able to create/delete Group, projects and branches and grant permissions for users/groups with different authentication provider (local, ldap, openid, etc.)
Proposal
Further details
Permissions and Security
Documentation
Availability & Testing
Available Tier
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.