Ensure OIDC token mapping can be policy enforced and not be manipulated by project settings or CI.

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

GitLab now has policy based management for OIDC tokens. This enables the value mappings to be enforced by policy on a group heirarchy of projects.

Problem to solve

OIDC tokens are eventually written to disk and the commands to perform changing to the target roles are done in CI code accessible to developers (before_script:).

Developers naturally become knowledgable of a variety role mappings across multiple security contexts and can manipulate either disk-written assets or the actual role assumption code to map to other roles.

Proposal

Create the ability for OIDC token settings to be:

1. Configured in a group as a set of project specific variables to map. (not hard coded strings)
2. Inherited by subgroups and projects.
3. That supports subgroup overrides but ONLY by someone with the right role level. (could be CI variables, if this feature was built: Enforce variables (#417919))
4. Is used in jobs in a way that is not overrideable (sts token commands may have to be done outside the pipeline or in code that is also immutable in downbound pipeines - perhaps the code for assuming a role could be in a CI Variable as well). Cannot be done in variables or disk files that the CI job can change.

Intended users

• Delaney, Development Team Lead
• Priyanka, Platform Engineer
• Janell, Enablement Advocate
• Ingrid, Infrastructure Operator
• Isaac, Infrastructure Security Engineer
• Alex, Security Operations Engineer
• Cameron, Compliance Manager

Feature Usage Metrics

Does this feature require an audit event?

Perhaps changes to the OIDC mapping policy should be audit logged.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.