Feat(ci): add aud claim to CI_JOB_TOKEN

Closed Mickaël Canévet requested to merge mcanevet/gitlab:mcanevet-master-patch-24286 into master

What does this MR do and why?

Add aud claim to `CI_JOB_TOKEN.

It should be technically possible to authenticate to AWS' IAM and assume a role using CI_JOB_TOKEN. On AWS side, we just have to create an OIDC identity provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) and a Role with and an sts:AssumeRoleWithWebIdentity policy. I tested it, but I get this error when trying to use the CI_JOB_TOKEN in a pipeline: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Missing a required claim: aud.

Indeed, the JWT does not contain an aud claim.

How to reproduce:

  • add AWS_ROLE_ARN in your CI/CD variables
  • set AWS_WEB_IDENTITY_TOKEN_FILE to /tmp/whatever-you-want
  • in your script, run echo "$CI_JOB_JWT" > "$AWS_WEB_IDENTITY_TOKEN_FILE"
  • then, run aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --role-session-name foo --web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE --duration-seconds 1000

I guess the only thing to do is add an aud claim here: https://gitlab.com/gitlab-org/gitlab/-/blob/b52f21df72daf063afe8f6b31362fd346fe4c1ef/lib/gitlab/ci/jwt.rb#L34

This claim could be set to a list containing the GitLab URL (equivalent of CI_SERVER_URL).

Once done, we should be able to authenticate to IAM using CI_JOB_TOKEN and do this: https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/, without having to deploy and maintain an HashiCorp Vault.

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Mickaël Canévet