project_env group not set on DAST stop job when using ci_job access
I followed the guide to setup up my project with ci_job permissions.
ci_access:
projects:
- id: path/to/project
access_as:
ci_job: {}
I'm using a role which is bound to the gitlab:project_env:4:dast-default
group to give my pipeline the ability to deploy a DAST environment. The role grants the group full privileges (ie. apiGroup:[*] resources:[*] verbs:[*]
). Currently this works well for the dast_environment_deploy
job included in the Auto-DevOps pipeline, however when it comes to the stop_dast_environment
job, it fails with an error suggesting that the user doesn't have permission to delete a secret.
Error from Server (Forbidden): secrets "dast-default-secret" is forbidden: User "gitlab:ci_job:738" cannot delete resources "secrets" in API Group "" in the namespace "gitlab-4-dast-default"
When I check the logs for both jobs I see the following:
# dast_environment_deploy
"impersonatedUser": {
"username": "gitlab:ci_job:734",
"groups": [
"gitlab:ci_job",
"gitlab:group:12",
"gitlab:group:6",
"gitlab:project:4",
"gitlab:project_env:4:dast-default",
"system:authenticated"
]
}
# stop_dast_environment
"impersonatedUser": {
"username": "gitlab:ci_job:738",
"groups": [
"gitlab:ci_job",
"gitlab:group:12",
"gitlab:group:6",
"gitlab:project:4",
"system:authenticated"
]
}
It appears as if the gitlab:project_env
group has not been correctly set, despite that job having an environment set.
This was using the standard auto-devops pipeline, and I can confirm that both jobs were in the same dast-default
environment, and both had the CI_ENVIRONMENT_SLUG
. The only difference as I can see it is that the "stop" job has action: stop
property on the environment in the CI config.
# merged .gitlab-ci.yml
# trimmed for clarity
dast_environment_deploy:
environment:
name: dast-default
url: http://dast-$CI_PROJECT_ID-$CI_ENVIRONMENT_SLUG.$KUBE_INGRESS_BASE_DOMAIN
on_stop: stop_dast_environment
stop_dast_environment:
environment:
name: dast-default
action: stop
Currently this means that our pipelines are able to build and deploy to our environments, but not clean them up.