Customer Feedback and Questions: Update CI_JOB_JWT_V2 to support OIDC cloud providers for deployment hardening
This issue is for general feedback from customer using the new alpha implementation of CI_JOB_JWT_V2.
Documentation
- OIDC Overview with GitLab: https://docs.gitlab.com/ee/ci/cloud_services/
- Configure OIDC with AWS: https://docs.gitlab.com/ee/ci/cloud_services/aws/
- Repository example: https://gitlab.com/guided-explorations/aws/configure-openid-connect-in-aws
Provider Specific
- Vault
- AWS
- GCP
Policy setup
- Per Branch
- Per Group
- Per Project
Context:
Our current CI_JOB_JWT implementation is limited to Vault. @bdowney and contributors have drafted an MR for CI_JOB_JWT_V2 which adds OIDC support for AWS and other cloud providers. This allows customers to use temporary credentials from cloud providers without storing secrets in their GitLab projects.