## **Problem Statement** Organizations managing multiple projects within groups need a centralized way to manage secrets at the group level. Currently, secrets can only be managed at the project level, requiring administrators to: * Duplicate secrets across multiple projects * Manage secrets individually for each project * Lack a unified view of secrets across related projects Group-level secrets management addresses these pain points by enabling: * **Centralized Management:** Secrets defined once at the group level * **Inheritance:** Projects automatically access parent group secrets * **Simplified Administration:** Reduced overhead for secret administrators * **Hierarchical Control:** Different access levels for different groups --- ## **Goals & Success Metrics** ### **Primary Goals** 1. **Enable group-level secret creation and management** - Allow _group owners_ to create, update, and delete secrets at the group level 2. **Implement access control** - Provide granular permissions for who can manage group secrets 3. **Support CI/CD integration** - Allow pipelines to fetch group secrets using explicit source specification 4. **Maintain parity with project secrets** - Feature completeness with project-level secrets manager 5. **Ensure security** - Implement proper authentication, authorization, and audit logging ### **Success Metrics** * Group owners can successfully create and manage secrets * Pipelines can fetch group secrets via `source: group/ID` syntax * All group secret operations are audited * Zero security vulnerabilities in group secrets implementation * Feature adoption across organizations with multi-project groups --- ## **Scope & Features** ### **Core Features** #### **1. Enable/Disable Group Secrets Manager** * Group owners can toggle secrets manager on/off * Automatic provisioning of OpenBao namespace and policies * State machine management (provisioning → active → deprovisioning) * Feature flag: `group_secrets_manager` #### **2. Access Control & Permissions** * Granular permission management for group secrets * Support for Users, Roles, and Groups as principals * Permission types: Create, Read, Update, Delete * CEL-based authentication similar to project secrets #### **3. Secret CRUD Operations** * **Create:** Add new secrets with optional rotation intervals * **Read:** Retrieve individual or list all group secrets * **Update:** Modify secret values, descriptions, and protection status * **Delete:** Remove secrets and clean up policies * Stale indicator mechanism for partially failed operations #### **4. Secret Rotation Reminders** * Rotation reminders via background jobs * Notification to group owners/maintainers * Parity with project-level rotation features #### **5. CI/CD Integration** * Pipelines can fetch group secrets using `source: group/ID` syntax * JWT claims include `project_group_ids` for access validation * Support for multiple secret sources in same pipeline * Secrets can only be accessed within the same group/subgroup hierarchy. #### **6. Audit Logging** * Complete audit trail for all group secret operations * Track create, update, delete, enable, disable actions * Include user, timestamp, and operation details #### **7. User Interface** * Navigation menu integration under "Secure" section * View and manage group sections * Create, read, update, and delete group secrets * Specify rotation reminders * Enable/disable toggle in group settings * Permission management in general settings ### **API Endpoints (GraphQL)** **Mutations:** * `groupSecretsManagerInitialize` - Enable secrets manager * `groupSecretsManagerDeprovision` - Disable secrets manager * `groupSecretCreate` - Create new secret * `groupSecretUpdate` - Update secret * `groupSecretDelete` - Delete secret * `groupSecretPermissionUpdate` - Grant/revoke permissions * `groupSecretPermissionDelete` - Remove all permissions **Queries:** * `group.secretsManager` - Get secrets manager status * `groupSecrets` - List all group secrets * `groupSecret(name:)` - Get specific secret * `group.secretPermissions` - List permissions ## **User Experience** ### **Group Owner Workflow** * Navigate to Secure → Secrets Manager 1. Manages secrets with optional rotation intervals * Settings -\> General -\> Permissions and Group Features 1. Enable secrets manager (triggers provisioning) 2. Configure permissions for team members 1. Add/remove users, roles, or groups 2. Assign specific permission types for managing secrets (CRUD) * Secure -\> Audit Events 1. View audit logs for Secrets Manager events ### **Developer Workflow** 1. Access group secrets via CI/CD configuration 2. Specify secret source: `source: group/ID` 3. Pipeline automatically fetches secret from group namespace 4. Secret value available in pipeline environment ``` job: secrets: TEST_SECRET: gitlab_secrets_manager: name: foo source: group/<path_of_the_group> script: - cat $TEST_SECRET ``` ## **Out of scope** * Environment or branch scoping ## **Related Resources** * [Planning Breakdown Issue](https://gitlab.com/gitlab-org/gitlab/-/issues/479575) * [Design Issue](https://gitlab.com/gitlab-org/gitlab/-/issues/545534) * [UX Research](https://gitlab.com/gitlab-org/ux-research/-/issues/3423) * [Parent Epic: GA - GitLab Secrets Manager](https://gitlab.com/groups/gitlab-org/-/work_items/10723)