GCP Secret Manager native support: Rails support
Proposal
This proposal is for adding a new CI keyword to configure secrets integration with GCP Secret Manager. The proposed keyword is as follows: secrets:gcp_secret_manager
.
job_name:
id_tokens:
GCP_SM_ID_TOKEN:
aud: https://iam.googleapis.com/projects/$GCP_PROJECT_NUMBER/locations/global/workloadIdentityPools/$GCP_WORKLOAD_FEDERATION_POOL_ID/providers/$GCP_WORKLOAD_FEDERATION_PROVIDER_ID # or a custom audience as configured in GCP Workload Identity Pool Provider.
secrets:
DATABASE_PASSWORD:
gcp_secret_manager:
name: my-project-secret # This is the name of the secret defined in GCP Secret Manager
version: 1 # optional: default to `latest`.
token: GCP_SM_ID_TOKEN
In addition, the following CI variables need to be set by the user:
- GCP Project Number
GCP_PROJECT_NUMBER
- GCP Workload Identity Federation Pool ID
GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID
- GCP Workload Identity Federation Provider ID
GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID
The configuration and variables above will be used to build the job payload that includes the following:
{
"secrets": {
"DATABASE_PASSWORD": {
"gcp_secret_manager": {
"name": "my-project-secret",
"version": "1",
"server": {
"project_number": "1234",
"workload_identity_federation_pool_id": "pool-id",
"workload_identity_federation_provider_id": "provider-id",
"jwt": "$GCP_SM_ID_TOKEN"
}
}
}
}
}
Given that shared JWT CI_JOB_JWT
and CI_JOB_JWT_V2
are deprecated and will be removed, id token must be specified through token
. This means that the CI config needs to validate token
as a required attribute when using gcp_secret_manager
.
Edited by Albert