Skip to content
Snippets Groups Projects
Commit f13362ce authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat: support ID tokens in addition to CI_JOB_JWT

parent 08cf552c
No related branches found
No related tags found
No related merge requests found
...@@ -94,6 +94,23 @@ The following commands may help you retrieve the different values: ...@@ -94,6 +94,23 @@ The following commands may help you retrieve the different values:
- `gcloud iam workload-identity-pools list --location=global --format="value(name)"` will list you POOL_IDs available on your `GCP_PROJECT` - `gcloud iam workload-identity-pools list --location=global --format="value(name)"` will list you POOL_IDs available on your `GCP_PROJECT`
- `gcloud iam workload-identity-pools providers list --workload-identity-pool=<my-pool> --location=global --format="value(name)"` will return the list of available `PROVIDER_ID` for one `POOL_ID` - `gcloud iam workload-identity-pools providers list --workload-identity-pool=<my-pool> --location=global --format="value(name)"` will return the list of available `PROVIDER_ID` for one `POOL_ID`
The template supports two ways to retrieve the JSON web token (JWT):
* using GitLab's `CI_JOB_JWT_V2` variable - _default_<br/>
:warning: deprecated, scheduled to be removed in GitLab 16.5
* using an [ID token](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) named `GCP_JWT` - _configurable_
The ID token can be configured as follows in your `.gitlab-ci.yml` file:
```yaml
# enable GCP_JWT ID token for GCP jobs only
.gcp-base:
id_tokens:
GCP_JWT:
# use your own audience url here
aud: https://gitlab.com
```
### Deployment context variables ### Deployment context variables
In order to manage the various deployment environments, this template provides a couple of **dynamic variables** In order to manage the various deployment environments, this template provides a couple of **dynamic variables**
...@@ -447,6 +464,23 @@ With: ...@@ -447,6 +464,23 @@ With:
| `secret_path` (_path parameter_) | this is your secret location in the Vault server | | `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | | `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
The variant supports two ways to retrieve the JSON web token (JWT):
* using GitLab's `CI_JOB_JWT` variable - _default_<br/>
:warning: deprecated, scheduled to be removed in GitLab 16.5
* using an [ID token](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) named `VAULT_JWT_TOKEN` - _configurable_
The ID token can be configured as follows in your `.gitlab-ci.yml` file:
```yaml
# enable VAULT_JWT_TOKEN ID token for GCP jobs only
.gcp-base:
id_tokens:
VAULT_JWT_TOKEN:
# use your own audience url here
aud: https://gitlab.com
```
#### Example #### Example
```yaml ```yaml
...@@ -465,4 +499,11 @@ variables: ...@@ -465,4 +499,11 @@ variables:
SOME_SECRET_USED_IN_MY_APP: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/prod/gcloud/secret?field=my.app.secret" SOME_SECRET_USED_IN_MY_APP: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/prod/gcloud/secret?field=my.app.secret"
VAULT_BASE_URL: "https://vault.acme.host/v1" VAULT_BASE_URL: "https://vault.acme.host/v1"
# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
# enable VAULT_JWT_TOKEN ID token for GCP jobs only
.gcp-base:
id_tokens:
VAULT_JWT_TOKEN:
# use your own audience url here
aud: https://gitlab.com
``` ```
...@@ -5,6 +5,7 @@ variables: ...@@ -5,6 +5,7 @@ variables:
# variabilized vault-secrets-provider image # variabilized vault-secrets-provider image
TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master" TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
# variables have to be explicitly declared in the YAML to be exported to the service # variables have to be explicitly declared in the YAML to be exported to the service
VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
VAULT_ROLE_ID: "$VAULT_ROLE_ID" VAULT_ROLE_ID: "$VAULT_ROLE_ID"
VAULT_SECRET_ID: "$VAULT_SECRET_ID" VAULT_SECRET_ID: "$VAULT_SECRET_ID"
......
...@@ -285,7 +285,7 @@ stages: ...@@ -285,7 +285,7 @@ stages:
# see: https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/ # see: https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/
log_info "Authenticating with OpenID Connect..." log_info "Authenticating with OpenID Connect..."
assert_defined "$oidc_account" 'Missing required OpenID Connect service account' assert_defined "$oidc_account" 'Missing required OpenID Connect service account'
echo "${CI_JOB_JWT_V2}" > /tmp/.ci_job_jwt_file echo "${GCP_JWT:-$CI_JOB_JWT_V2}" > /tmp/.ci_job_jwt_file
gcloud iam workload-identity-pools create-cred-config "$oidc_provider" \ gcloud iam workload-identity-pools create-cred-config "$oidc_provider" \
--service-account="$oidc_account" \ --service-account="$oidc_account" \
--output-file=/tmp/.gcp_temp_cred.json \ --output-file=/tmp/.gcp_temp_cred.json \
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment