## Description Implement support for AWS Secrets Manager in GitLab CI/CD to allow users to securely retrieve secrets during pipeline execution using OpenID Connect (OIDC) tokens for authentication. This integration will expand GitLab's existing secrets provider support (currently HashiCorp Vault, Google Cloud Secret Manager, and Azure Key Vault) to include AWS Secrets Manager, making it easier for AWS users to manage sensitive information securely within their CI/CD pipelines. ## Objectives - Define the YAML structure for AWS Secrets Manager in CI configuration - Create resolvers to process AWS Secrets Manager configurations - Implement AWS SDK integration in GitLab Runner - Build AWS authentication using GitLab OIDC tokens - Provide comprehensive documentation and examples - Ensure secure handling of credentials and proper error handling ## Business Value This integration will allow GitLab users who use AWS to store sensitive credentials securely in AWS Secrets Manager and retrieve them during pipeline execution, eliminating the need for storing secrets in CI/CD variables or third-party tools. This improves security posture, simplifies secrets management, and provides a native integration with AWS services. ## High-level implementation plan | Issue # | Repository | Title | Description | Weight | Est. Time | Dependencies | |---------|------------|-------|-------------|--------|-----------|--------------| | 1 | gitlab | Add AWS Secrets Manager schema | Define the YAML structure for AWS Secrets Manager in CI configuration, including name, version, and authentication parameters | 3 | 3 days | None | | 2 | gitlab | Create AWS Secrets Manager resolver | Build resolver class that transforms CI configuration into a format that Runner can use to fetch AWS secrets | 5 | 5 days | 1 | | 3 | gitlab | Update secrets resolver | Enhance the main secrets resolver to process AWS Secrets Manager configurations alongside existing providers | 3 | 2 days | 2 | | 4 | gitlab | Add feature flag | Create feature flag to enable controlled rollout of AWS Secrets Manager integration to specific environments or projects | 2 | 1 day | 1 | | 5 | gitlab | Add usage metrics | Implement tracking of AWS Secrets Manager usage to measure adoption and identify potential issues | 2 | 2 days | 2 | | 6 | gitlab-runner | Add AWS SDK dependencies | Integrate AWS Go SDK into Runner codebase with proper dependency management for AWS services | 2 | 1 day | None | | 7 | gitlab-runner | Implement AWS authentication | Build authentication service that uses GitLab OIDC tokens to authenticate with AWS STS for secure access | 5 | 6 days | 6 | | 8 | gitlab-runner | Implement Secrets Manager client | Create client that retrieves secrets from AWS Secrets Manager using authenticated sessions | 5 | 5 days | 7 | | 9 | gitlab-runner | Update secrets resolver | Modify Runner's secrets resolver to process AWS Secrets Manager requests and handle errors properly | 4 | 3 days | 8 | | 10 | gitlab-runner | Add unit tests | Develop comprehensive unit tests with mocks to verify AWS Secrets Manager client functions correctly | 3 | 3 days | 8 | | 11 | gitlab-runner | Add integration tests | Create end-to-end tests that verify the entire AWS Secrets Manager retrieval process works | 4 | 4 days | 9 | | 12 | gitlab | Update CI/CD docs | Document AWS Secrets Manager integration in GitLab CI/CD with configuration examples and parameters | 2 | 2 days | 1 | | 13 | gitlab-docs | Create AWS Secrets Manager tutorial | Build step-by-step tutorial showing how to set up AWS IAM roles and retrieve secrets in pipelines | 3 | 3 days | 12 | | 14 | gitlab-docs | Create example project | Develop a working example project demonstrating real-world use of AWS Secrets Manager in CI/CD | 2 | 2 days | 13 | | 15 | gitlab | Security review | Conduct security review focusing on credential handling, permissions, and potential vulnerabilities | 4 | 4 days | 3, 9 |