### Update We've decided to go for a different approach and allow users to opt-in for the new token, it will be the recommended way (and the only way by 16.0) to authenticate with Vault and other cloud providers, however it will require a configuration change, more information in https://gitlab.com/gitlab-org/gitlab/-/issues/356986+ <h3> Background: </h3> The current CI_JOB_JWT implementation is limited to Vault. @bdowney and contributors have drafted an [MR for CI_JOB_JWT_V2](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72555) which adds OIDC support for AWS and other cloud providers. This allows customers to use temporary credentials from cloud providers without storing secrets in their GitLab projects. <h3> Scope of Epic </h3> This scope of this epic is to capture the next steps for communicating to customers adopting the new CI_JOB_JWT with existing and new providers. Communication includes notifying customer success for feedback, documentation, deprecation notice, and public blog post. . 14.6: - [x] Initial [release of CI_JOB_JWT_V2](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72555) as [**Alpha**](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha) - [x] Socialize issue to #customer-success in slack for feedback. - @jrandazzo 14.6 - 14.8: - [x] Gather feedback from customers - https://gitlab.com/gitlab-org/gitlab/-/issues/346737 - Customer Success - [x] POC of native [CI secrets integration](https://docs.gitlab.com/ee/ci/secrets/) - @jrandazzo - [ ] Notify customers @nagyv-gitlab - [ ] Documentation with examples - @jrandazzo - [x] Overview (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77125) - [x] AWS (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77127) - [ ] Hashicorp (Update format) - [ ] Google - [ ] Azure - [ ] VMWare 15.2 - [ ] https://gitlab.com/gitlab-org/gitlab/-/issues/356986+ 15.3 - [ ] https://gitlab.com/gitlab-org/gitlab/-/issues/360657+ 15.x - [ ] Document examples for JWT integration with cloud providers 16.0 - [ ] https://gitlab.com/gitlab-org/gitlab/-/issues/366798+ <details><summary>Old implementation plan</summary> **Changes** <p> Current Implementation: <details> <pre><code>{ "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558", "iss": "gitlab.example.com", "iat": 1585710286, "nbf": 1585798372, "exp": 1585713886, "sub": "job_1212", "namespace_id": "1", "namespace_path": "mygroup", "project_id": "22", "project_path": "mygroup/myproject", "user_id": "42", "user_login": "myuser", "user_email": "myuser@example.com", "pipeline_id": "1212", "pipeline_source": "web", "job_id": "1212", "ref": "auto-deploy-2020-04-01", "ref_type": "branch", "ref_protected": "true", "environment": "production", "environment_protected": "true" } </code></pre> </details> New (Breaking) implementation: <details> <pre><code>{ "namespace_id": "1", "namespace_path": "root", "project_id": "20", "project_path": "root/aws-jwt-auth", "user_id": "1", "user_login": "root", "user_email": "admin@example.com", "pipeline_id": "190", "pipeline_source": "push", "job_id": "546", "ref": "main", "ref_type": "branch", "ref_protected": "true", "environment": "prod", "environment_protected": "false", "jti": "c0adeb51-bf1d-4840-81dd-57c58564c109", "iss": "https://3000-green-wolverine-of056ezd.ws-us17.gitpod.io", "iat": 1638209391, "nbf": 1638209386, "exp": 1638212991, "sub": "project_path:root/aws-jwt-auth:ref_type:branch:ref:main", "aud": "https://3000-green-wolverine-of056ezd.ws-us17.gitpod.io" } </code></pre> </details> Diff <details> <pre><code>Changed: By appending "https://" to support cloud providers "iss": "https://3000-green-wolverine-of056ezd.ws-us17.gitpod.io", <br> Changed (job id to group/project path): To support filtering with IAM policies "sub": "project_path:root/aws-jwt-auth:ref_type:branch:ref:main", <br> Added: Required by OIDC for handshake "aud": "https://3000-green-wolverine-of056ezd.ws-us17.gitpod.io" </code></pre> </details> </p> </details>