Impersonation as user to restrict project and group access

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

We want to impersonate as the user who triggers the pipeline.

Proposal

Currently it's possible to impersonate as ci-job or static identity. https://docs.gitlab.com/ee/user/clusters/agent/repository.html#use-impersonation-to-restrict-project-and-group-access

However, we want only users of a certain group to be able to use the Gitlab agent. So we thought that impersonating as a user would be one way to do this. We could then use k8s rbac to control access. To do this, we would need to specify the email as the username to get a mapping to our Active Directory.

e.g. configuration of the agent:

ci_access:
  projects:
    - id: path/to/project
      access_as:
        user: {}"

As a workaround we use the old cluster certificates and control access by environments with are limited to a group. The limitation is, that only a limited group of users is allowed to create projects because we can not automate the permissions on environments. (no api atm)

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖