Limit token access to Vault secrets based on group membership
Problem to Solve
Ultimate customer wants to limit which users can access some secrets based on group membership. They are using the GitLab-Vault integration.
Assuming an "admins" group exists, only the users which are direct members of it can trigger pipelines which require access to these secrets.
Documentation says this is possible, but it's not clear how:
You can control ID token access to Vault secrets by using Vault protections and GitLab features. For example, restrict the token by:
- Using Vault bound claims for specific groups using group_claim.
Restricting access based on a list of GitLab usernames is painful to maintain because this is to be done outside of GitLab (in Vault).
Proposal
Going through the OIDC integration documentation, the groups_direct field seems to be what is needed in the JWT integration. Currently this field is not present in the JWT sent to Vault.
If it's added, a Vault role can be configured like this:
$ vault write auth/jwt/role/myproject-production - <<EOF
{
  "role_type": "jwt",
  "policies": ["myproject-production"],
  "token_explicit_max_ttl": 60,
  "user_claim": "user_email",
  "groups_claim": "groups_direct", #new field
  "bound_claims_type": "glob",
  "bound_claims": {
    "groups": ["admins"], #new field
    "project_id": "22",
    "ref_protected": "true",
    "ref_type": "branch",
    "ref": "auto-deploy-*"
  }
}
EOFEssentially, Vault can be configured to use bound claims for specific groups which is mentioned in the documentation.
Currently the error is:
ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: authenticating Vault client: writing to Vault: api error: status code 400: failed to fetch groups: "groups_direct" claim not found in token