Frontend: Limit JWT token from all jobs in the pipeline
Release notes
Your software supply chain should include everything needed to deliver and run your software. Securing your supply chain means securing not only your software, but also the surrounding cloud-native infrastructure as well. In GitLab 15.8, we've added additional layers of protection so that we can move our OIDC token from Alpha to production, increasing the security of your CI/CD workflows. With few key improvements. Configuring the audience claim (aud:), a reserved claim which identifies the audience that the JWT is intended for (the target of the token). Previously the JSON web tokens were a pre-define variable that was injected automatically to all jobs in a pipeline, in this release we've added the ability to restrict the token variable from all jobs in your pipeline, and expose the variable only in the specific jobs that need it, hence reducing the risk for potential leakage from a compromised job.
Problem
Currently, whenever a user configure the JWT token it becomes available to all jobs in the pipeline, tokens are sensitive information and should not be exposed to all jobs without a reason, we would like to prevent this from happening, and allow users to opt-in the token on per job basis.
Proposal
As an MVC we will add a setting that restricts access to JWT token except for the jobs that have the necessary YAML snippet that opts that job into access to the JWT token.
- Add a UI setting to
Settings > CI/CD > Token Access
which allows users to restrict the access to the JWT token from jobs. - When the setting toggle is on, the code snippet will be expanded so the user can add it to their YAML.
- Update the Token Access settings section description with new UI text.
Additional comment
This issue will officially move JWT_V2 with OIDC from Alpha to GA