[CI] External secrets not available in services

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

I just noticed that external secrets (at least from Azure Key Vaults) are not present in services, even though they are available in the corresponding job.

I understand this might be a security risk, but it would be nice to at least have the option (maybe via a feature flag?) to do this.

Minimal example:

test:
  image: alpine
  id_tokens:
    AZURE_JWT:
      aud: https://gitlab.com
  variables:
    CI_DEBUG_SERVICES: "true"
    AZURE_KEY_VAULT_SERVER_URL: "https://example.vault.azure.net"
    AZURE_CLIENT_ID: example
    AZURE_TENANT_ID: example
  secrets:
    TEST_VAR:
      file: false
      azure_key_vault:
        name: "example"
  services:
    - name: alpine
      entrypoint: ["sh"]
      command: ["-c", "echo TEST_VAR is $TEST_VAR" ]
  script:
    - echo "TEST_VAR is $TEST_VAR"

Output:

Service container logs:
2025-07-31T12:51:19.313792248Z TEST_VAR is
*********
[...]
$ echo "TEST_VAR is $TEST_VAR"
TEST_VAR is [MASKED]

This also does not work when explicitly doing something like

variables:
  NEW_VAR: $TEST_VAR

in the service's definition.

(If this is important for priorization: We are a Premium customer currently using 15 seats.)

Edited Aug 10, 2025 by 🤖 GitLab Bot 🤖