Vault integration PoC: Rails for handling credentials/secrets/token

Problem to Solve

Given the Runner team is highly-constrained, we are investigating a Rails implementation of the feature proposed in #28321 (closed) which was intended for Runner.

In Scope

• Research and document the risks/concerns around implementing the credentials and fetch of the temporary token first in Rails instead of inside the Runner
• Determine how to secure Rails handling of Vault credentials
• Technical approach for getting the secret and passing the temporary token to the Runner
• Review findings of discovery re authentication methods to Vault previously completed in Vault integration for CI/CD proof-of-concept

Out of Scope

• Feature implementation in Rails for Vault integration
• Exploration of how the final Vault interaction will integrate or replace existing GitLab secret variables

Proposal

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

Links / references