Fix identity for aws_secrets_manager_resolver
Summary
When aws_role_arn isn’t set, it should fall back to the default AWS credentials, see aws_secrets_management documentation
Steps to reproduce
- Install the GitLab Runner version 18.2+.
- Ensure your self-hosted GitLab instance is version 18.2 or higher.
- Eanble a FF
ci_aws_secrets_manager - Create the
app-secrets/databasesecret in AWS Secrets Manager and a fieldpassword. - Provision an IAM role and assign it to your GitLab Runner instance.
- Set up a test project using the
.gitlab-ci.ymlfile provided below:
variables:
AWS_REGION: us-east-1
fetch-password-via-aws-cli:
stage: test
script:
- echo "Fetching DB password using aws cli from Secrets Manager..."
- 'export SECRET_JSON=$(aws secretsmanager get-secret-value --secret-id app-secrets/database --region "$AWS_REGION" --query SecretString --output text)'
- 'export DATABASE_PASSWORD=$(echo "$SECRET_JSON" | jq -r ".password")'
- 'echo "Password: $DATABASE_PASSWORD"'
database-migration:
secrets:
DATABASE_PASSWORD:
aws_secrets_manager:
secret_id: app-secrets/database
field: 'password'
file: false
stage: deploy
script:
- 'echo "DB PASSWORD"'
- 'echo "$DATABASE_PASSWORD"'First scenario fetch-password-via-aws-cli should succeed in any case with the fix and not.
Second scenario database-migration should succeed only after the fix - gitlab-runner!5747 (merged)
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
Patch release information for backports
If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.
Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.