Skip to content

Document fully-qualified secret naming for GCP secrets

Rich Wareham requested to merge rjw57/gitlab-source:runner-issue-37487-gcp-secrets into master
  • Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA

What does this MR do and why?

This MR documents the fully-qualified secret naming for GCP secrets

In gitlab-runner!4718 (merged) support was added for using GCP secrets from a project other than the one containing the WIF pool. This is done by specifying the fully-qualified secret name.

Document the feature in the GCP secret manager documentation.

Part of gitlab-runner#37487 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

N/A

How to set up and validate locally

See gitlab-runner#37487 (closed) but, in brief:

  1. Create a WIF Pool in Google Project A following https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html
  2. Create a Google Secret in Project B.
  3. Grant the appropriate principalSet://... IAM principal access to the secret via an IAM policy.
  4. Attempt to configure Google Cloud Secret Manager integration as per https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html but use projects/{project-b-id}/secrets/{secret-id} as the secret name.

For example, in .gitlab-ci.yml:

# Project A is project 1234565789. Project B is 987654321
#
# Secret is located at projects/987654321/secrets/my-secret/versions/1 and appropriate
# IAM permissions have been granted to a principalSet://... IAM principal corresponding
# to this CI job.
build:
  id_tokens:
    GCP_ID_TOKEN:
      aud: //iam.googleapis.com/projects/1234565789/locations/global/workloadIdentityPools/gitlab/providers/gitlab
  secrets:
    SUPER_SECRET:
      gcp_secret_manager:
        name: projects/987654321/secrets/my-secret
        version: 1
      token: $GCP_ID_TOKEN
  variables:
    GCP_PROJECT_NUMBER: "1234565789"
    GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID: gitlab
    GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID: gitlab
  script:
    - echo $SUPER_SECRET
Edited by Rich Wareham

Merge request reports