Label: ~"ci variables" | [Issue List](https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name%5B%5D=ci+variables) ## Description Secrets management is one of the most sensitive and critical disciplines in all of DevOps and is becoming increasingly important as we move toward a fully continuous deployment world. AWS Keys, deploy keys, ssh keys are often the key attack vector for a bad actor or insider threat, and thus all users and customers are concerned about robust secrets management. [Vault from Hasihcorp](https://www.vaultproject.io/) has won this market. While cloud providers provide bespoke solutions such as [AWS KMS](), [GCP XXX]() and [Azure YYY]() - many users in multi-cloud or on-prem environments use Vault to be a single source of truth, authorization and access grants to production systems. ## What's Next & Why * First, we are going to have [blog post](https://gitlab.com/gitlab-com/www-gitlab-com/issues/3777) about how you can make Vault work with GitLab CI/CD **today** (manual integration). * Next, we are going to do an engineering proof of concept using 1 to 2 real-world use cases. This proof of concept is documented here: https://gitlab.com/gitlab-org/gitlab-ee/issues/9981. * GitLab's Infrastructure team is working on migrating to Vault here: https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/55 * We are also considering a Community Contribution in gitlab-ce#53906 to allow for more direct integration as that community contributor has designed (a generic `Identity API` for the gitlab-runner) * Then, we will use the learnings from those steps to plan for a tighter more bespoke integration with Vault. * #53906 provides a "generic" interface, but that implementation may have limitations relative to how it is done. * We are prioritizing that change though because (a) it is from a customer (b) it is mostly complete (c) it will enable integrations other than Vault such as AWS KMS and GCP's service * After we have a tight, easy to use integration with Vault that "you" bring, we should consider bundling open source Vault into GitLab to allow **all** users to have first-class integration and secretes management * If needed after that, consider what Vault's enterprise customers need on top of that integration. ### Other ides * Contribute back "GitLab auth" ## Competitive Landscape ### Hasihcorp Vault TBW ### Jenkins There is a [vault plugin](https://github.com/jenkinsci/hashicorp-vault-plugin) for Jenkins that implements the [AppRole](https://www.vaultproject.io/docs/auth/approle.html) and [GitHub](https://www.vaultproject.io/docs/auth/github.html) authorization methods for Vault. ### Azure DevOps/GitHub TBW ### DroneCI Drone provides a [secrets plugin](https://docs.drone.io/extend/secrets/) for Vault, AWS Secrets Manager and Kubernetes Secrets to allow for [external secrets](https://docs.drone.io/user-guide/secrets/external/). ## Top Customer Success/Sales Issue(s) The most popular item is [Vault Integration](https://gitlab.com/gitlab-org/gitlab-ce/issues/40720) ## Top Customer Issue(s) The most popular item is [Vault Integration](https://gitlab.com/gitlab-org/gitlab-ce/issues/40720) ## Top Internal Customer Issue(s) TBD ## Top Vision Item(s) The most popular item is [Vault Integration](https://gitlab.com/gitlab-org/gitlab-ce/issues/40720) <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->