Remove shared JWTs
Shared JWTs were initially created to make it easy for jobs to have a JWT for authenticating with third party services like Hashicorp Vault. The issue is that this implementation gave every job access to JWTs regardless of whether they needed it. The new id_tokens
keyword still uses JWTs but they are only given to the jobs that use the keyword.
Starting in %16.0 we made it so all CI jobs have access to the shared JWTs (CI_JOB_JWT
, CI_JOB_JWT_V1
, CI_JOB_JWT_V2
) except for those jobs that are using the id_tokens
keyword.
The final step is to remove the shared JWTs so that users are forced to use the new id_tokens
keyword instead and removes JWT access from all other jobs that don't need it.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Plan:
-
Remove the shared JWT tokens behind feature flag 'remove_shared_jwts' -
Enable the feature flag in production -
Remove the feature flag from code in %17.0