Improved support for GCP Secret Manager secrets in monorepos on GitLab for improved security and access control
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
A GitLab customer requested improved support to access secrets stored in GCP Secret Manager based on the GitLab CI/CD Integration in their monorepos where each project is a directory in their GitLab project repository, and may have it's own standalone CI file in it's corresponding directory.
Currently, they create the required CI/CD variables for each GCP project integration based on a specific environment name that corresponds to the specific GitLab project repository directory and environment credentials.
What is missing is a way for a policy to be created on the GCP side that allows sufficient filtering and access control for secrets to be granted when a monorepo is used on the GitLab side for the integration.
The customer is looking for a solution from GitLab to customize or add more details to the Token ID Payload such as:
- Introduce a path in the JWT to determine which secret is able to be retrieved - based on the directory in the project. For example, where the ci file is located potentially?
- Adding group membership to JWT claims (the original feature rolled out in #435848 (closed) and enhancements for stabilization discussed in #477781)