Scoping the JWT to GitLab protected tags,I began searching for a space to run my business at the end of 2020.That are restricted to a subset of project users. Scoping the JWT to GitLab protected branches.Where the token expires after authentication. Setting Vault time limits for TTL of the token as specified in token_explicit_max_ttl,.Hard coding values for Vault bound claims based on the user_login and user_email.You can control CI_JOB_JWT access to Vault secrets by using Vault protectionsĪnd GitLab features. Token expiry time and other properties can be configured # when configuring JWT Auth - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=myproject-production jwt=$CI_JOB_JWT)" # Now use the VAULT_TOKEN to read the secret and store it in environment variable - export PASSWORD="$(vault kv get -field=password secret/myproject/production/db)" # Use the secret - echo $PASSWORD Read_secrets : image : vault:latest script : # Check job's ref name - echo $CI_COMMIT_REF_NAME # and is this ref protected - echo $CI_COMMIT_REF_PROTECTED # Vault's address can be provided here or as CI/CD variable - export VAULT_ADDR= # Authenticate and get token. Policy template example making use of a named metadata field named project_path: The mount accessor name ( ACCESSOR_NAME in the example below) can be retrieved by running vault auth list. The claim fields listed in the table above can also be accessed for Vault’s policy path templating purposes by using the accessor name of the JWT auth within Vault. If set to glob, the values are interpreted as globs, with * matching any number of characters. User_claim specifies the name for the Identity alias created by Vault upon a successful login.īound_claims_type configures the interpretation of the bound_claims values. Token_explicit_max_ttl specifies that the token issued by Vault, upon successful authentication, has a hard lifetime limit of 60 seconds. This example uses bound_claims to specify that only a JWT with matching values for the specified claims is allowed to authenticate.Ĭombined with protected branches, you can restrict who is able to authenticate and read the secrets. $ vault write auth/jwt/role/myproject-production - << EOF To communicate with Vault, you can use either its CLI client or perform API requests (using curl or another client). When configuring roles in Vault, you can use bound_claims to match against the JWT’s claims and restrict which secrets each CI job has access to. You can use this JWT and your instance’s JWKS endpoint ( ) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication. In such case retrying the job generates new JWT using the current signing key. The key used to sign this token may change without any notice. The expire time for the token is set to job’s timeout, if specified, or 5 minutes if it is not. The JWT is encoded by using RS256 and signed with a dedicated private key. The following fields are included in the JWT: Field When Description jti Always Unique identifier for this token iss Always Issuer, the domain of your GitLab instance iat Always Issued at nbf Always Not valid before exp Always Expires at sub Always Subject (job ID) namespace_id Always Use this to scope to group or user level namespace by ID namespace_path Always Use this to scope to group or user level namespace by path project_id Always Use this to scope to project by ID project_path Always Use this to scope to project by path user_id Always ID of the user executing the job user_login Always Username of the user executing the job user_email Always Email of the user executing the job pipeline_id Always ID of this pipeline pipeline_source Always Pipeline source job_id Always ID of this job ref Always Git ref for this job ref_type Always Git ref type, either branch or tag ref_protected Always true if this Git ref is protected, false otherwise environment Job specifies an environment Environment this job specifies ( introduced in GitLab 13.9) environment_protected Job specifies an environment true if specified environment is protected, false otherwise ( introduced in GitLab 13.9) deployment_tier Job specifies an environment Deployment tier of environment this job specifies ( introduced in GitLab 15.2) This JWT can be used to authenticate with Vault using the JWT Auth method. How it worksĮach job has JSON Web Token (JWT) provided as CI/CD variable named CI_JOB_JWT. You must replace the URL below with the URL of your Vault server, and with the URL of your GitLab instance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |