Add user role field to CI_JOB_JWT
Background:
JWT was targeted to enable Hashicorp Vault integration. Using JWT to authenticate from pipeline jobs there is no way to identify user role and differentiate Owner, Maintainer, and Developer roles directly. So it is not possible to define fine-grained access level to secrets based on user role. Restricting CI_JOB_JWT access via Vault bound claims for user_login,user_email, and group_claim is not solving this problem. Protected branches also do not provide a way to split Developer role from others and to split different access levels. The only possible ways are a custom IDP proxy or Vault authentication plugin.
Usecase:
Let's assume the so-called user_role field is available in JWT and contain the role of a user within project where job has been triggered. Using user_role in Vault bound claims or or claim_mappings will provide more flexibility and granularity for access level definition in Hashicorp Vault.
Proposal:
Add user_role field to CI_JOB_JWT payload