Skip to content

Allow id_tokens to be configured as file type variables

Tomasz Maczukin requested to merge allow-id-tokens-to-be-set-as-file-variables into master

What does this MR do and why?

The id_tokens key in .gitlab-ci.yml file allows to define one or more JWT tokens that will be created with the defined aud claim and provided to the job as a regular variable.

Until now the type of the variable was not controlled and it was always a "variable" type. For example, with configuration like:

job:
  id_tokens:
    MY_TOKEN:
      aud: some-aud
  script:
    - echo $MY_TOKEN

a new JWT for MY_TOKEN would be generated and send to the GitLab Runner with the job payload. In the job execution the value of this token would be available directly as the value of MY_TOKEN environment variable.

While that works, in some cases we may want to put the value of the token in a file pointed by a variable.

In case of the example above, if we would need to have the token present in a file (that next some tool will consume), we would need to create such file manually, for example as:

job:
  id_tokens:
    MY_TOKEN:
      aud: some-aud
  variables:
    MY_TOKEN_FILE: "${CI_PROJECT_DIR}.tmp/MY_TOKEN"
  script:
    - echo $MY_TOKEN > "${MY_TOKEN_FILE}"
    - custom-tool --token-file "${MY_TOKEN_FILE}" run

While this works, it's a hack. And in GitLab CI/CD we have a native way to mark a variable to be a "file" type variable.

The type can be configured for variables defined in the UI. It's also configurable for the variables crated for secrets. With the change here, we can now do the same for id_tokens. The example above can be now simplified to:

job:
  id_tokens:
    MY_TOKEN_FILE:
      aud: some-aud
      file: true
  script:
    - custom-tool --token-file "${MY_TOKEN_FILE}" run

With this GitLab Runner will create the file based variable that will be pointed by MY_TOKEN_FILE environment variable - all of that happens now natively as for any other file variable defined in GitLab.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Tomasz Maczukin

Merge request reports