feat: support ID tokens in addition to CI_JOB_JWT

README.md

@@ -94,6 +94,23 @@ The following commands may help you retrieve the different values:
 - `gcloud iam workload-identity-pools list  --location=global --format="value(name)"` will list you POOL_IDs available on your `GCP_PROJECT`
 - `gcloud iam workload-identity-pools providers list --workload-identity-pool=<my-pool>  --location=global --format="value(name)"` will return the list of available `PROVIDER_ID` for one `POOL_ID`
 
+The template supports two ways to retrieve the JSON web token (JWT):
+
+* using GitLab's `CI_JOB_JWT_V2` variable - _default_<br/>
+  :warning: deprecated, scheduled to be removed in GitLab 16.5
+* using an [ID token](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) named `GCP_JWT` - _configurable_
+
+The ID token can be configured as follows in your `.gitlab-ci.yml` file:
+
+```yaml
+# enable GCP_JWT ID token for GCP jobs only
+.gcp-base:
+  id_tokens:
+    GCP_JWT:
+      # use your own audience url here
+      aud: https://gitlab.com
+```
+
 ### Deployment context variables
 
 In order to manage the various deployment environments, this template provides a couple of **dynamic variables**
@@ -447,6 +464,23 @@ With:
 | `secret_path` (_path parameter_) | this is your secret location in the Vault server |
 | `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |
 
+The variant supports two ways to retrieve the JSON web token (JWT):
+
+* using GitLab's `CI_JOB_JWT` variable - _default_<br/>
+  :warning: deprecated, scheduled to be removed in GitLab 16.5
+* using an [ID token](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) named `VAULT_JWT_TOKEN` - _configurable_
+
+The ID token can be configured as follows in your `.gitlab-ci.yml` file:
+
+```yaml
+# enable VAULT_JWT_TOKEN ID token for GCP jobs only
+.gcp-base:
+  id_tokens:
+    VAULT_JWT_TOKEN:
+      # use your own audience url here
+      aud: https://gitlab.com
+```
+
 #### Example
 
 ```yaml
@@ -465,4 +499,11 @@ variables:
     SOME_SECRET_USED_IN_MY_APP: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/prod/gcloud/secret?field=my.app.secret"
     VAULT_BASE_URL: "https://vault.acme.host/v1"
     # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
+
+# enable VAULT_JWT_TOKEN ID token for GCP jobs only
+.gcp-base:
+  id_tokens:
+    VAULT_JWT_TOKEN:
+      # use your own audience url here
+      aud: https://gitlab.com
 ```

templates/gitlab-ci-gcloud-vault.yml

@@ -5,6 +5,7 @@ variables:
   # variabilized vault-secrets-provider image
   TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
   # variables have to be explicitly declared in the YAML to be exported to the service
+  VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
   VAULT_ROLE_ID: "$VAULT_ROLE_ID"
   VAULT_SECRET_ID: "$VAULT_SECRET_ID"
 

templates/gitlab-ci-gcloud.yml

@@ -285,7 +285,7 @@ stages:
       # see: https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/
       log_info "Authenticating with OpenID Connect..."
       assert_defined "$oidc_account" 'Missing required OpenID Connect service account'
-      echo "${CI_JOB_JWT_V2}" > /tmp/.ci_job_jwt_file 
+      echo "${GCP_JWT:-$CI_JOB_JWT_V2}" > /tmp/.ci_job_jwt_file 
       gcloud iam workload-identity-pools create-cred-config "$oidc_provider" \
         --service-account="$oidc_account" \
         --output-file=/tmp/.gcp_temp_cred.json \