Leverage GitLab Helper Image to Assume AWS Cloud Roles when Variable is Defined
Release notes
GitLab recognizes that oftentimes CD will rely on access to cloud resources. Now, GitLab will automatically handle logging into your cloud resources when your cloud-specific variable is defined.
When AWS_CONFIG_FILE
is defined, GitLab will proceed with attempting to log in via the STS service's API with AWS (example).
Problem to solve
When leveraging OIDC integration with GitLab, you must leverage the Amazon AWS CLI image along with its sts assume role
to authenticate to AWS which inhibits users' ability to use purpose-built images for the CI/CD job at hand.
GitLab File-type variables combined with Nested Variables allows you to create a fully-compatible AWS_CONFIG_FILE
, but AWS still needs to be called to authenticate a user using the provided config file. This either relies on the end user knowing how to call the API, or rely on the amazon/aws-cli:latest
image, which then inhibits their ability to have other images. Worst case, the end user uses one job to authenticate (declare "authentication" artifacts), then another job/image to do the actual deployment work - which creates credential-exposure within the GitLab Job Artifacts.
Intended users
User experience goal
When a user defines the AWS_CONFIG_FILE
variable, GitLab automatically handles authenticating the CI job.
Proposal
When a user defines the AWS_CONFIG_FILE
variable, GitLab Runner handles the authentication into AWS on behalf of the user, leveraging the process run by the GitLab Runner Helper, which then alleviates the end user's need to run this within their CI.
Further details
Permissions and Security
Documentation
Availability & Testing
Available Tier
Feature Usage Metrics
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
What is the competitive advantage or differentiation for this feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.