Customer Feedback and Questions: Update CI_JOB_JWT_V2 to support OIDC cloud providers for deployment hardening
This issue is for general feedback from customer using the new alpha implementation of CI_JOB_JWT_V2.
Documentation
- OIDC Overview with GitLab: https://docs.gitlab.com/ee/ci/cloud_services/
- Configure OIDC with AWS: https://docs.gitlab.com/ee/ci/cloud_services/aws/
- Repository example: https://gitlab.com/guided-explorations/aws/configure-openid-connect-in-aws
Provider Specific
- Vault
- AWS
- GCP
Policy setup
- Per Branch
- Per Group
- Per Project
Context:
Our current CI_JOB_JWT implementation is limited to Vault. @bdowney and contributors have drafted an MR for CI_JOB_JWT_V2 which adds OIDC support for AWS and other cloud providers. This allows customers to use temporary credentials from cloud providers without storing secrets in their GitLab projects.
Edited by Joe Randazzo