GitLab Plugin
GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager including wiki, issue-tracking and continuous integration and deployment pipeline features.
Each job has JSON Web Token (JWT) provided as CI/CD variable named CI_JOB_JWT_V2. This JWT can be used to authenticate with Akeyless.
Prerequisite
- To work with Akeyless GitLab plugin, please create an Authentication Method type of OIDC/JWT in Akeyless Vault. with the following parameters:
--name your authentication method name in Akeyless Vault.
--jwks-uri The URL to the JWKS that contains the public keys that should be used for JWT verification, for GitLab please use: https://gitlab.com/-/jwks.
--unique-identifier A unique ID, usually a value such as email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.
akeyless create-auth-method-oauth2 --name MyJWTAuth \
--jwks-uri https://gitlab.com/-/jwks \
--unique-identifier user_login
- Create an Access Role to provide access to your authentication method.
akeyless create-role --name MyJWTRole
- Associate your new Role with your Authentication Method. Please make sure to provide the matching sub claim for your Authentication.
akeyless assoc-role-am --role-name MyJWTRole \
--am-name MyJWTAuth \
--sub-claims user_login=<YOUR GitLab USERNAME>
Set permissions:
akeyless set-role-rule --role-name MyJWTRole \
--path /Path/To/your/secret/'*' \
--capability read --capability list
Integrating Akeyless Cloud Vault with GitLab CI/CD
- Open your GitLab project and make sure you have a yaml file named .gitlab-ci.yml
As an example update it to contain the following steps:
akeyless:
image:
name: akeyless/ci_base
before_script:
- export DEMO_SECRET=akeyless://demo-secret
- export MY_SECRET=akeyless://mySecret
- export VAULT_ADDR=https://hvp.akeyless.io
- akeyless auth --access-id p-xxxxxxxxxxxx --access-type jwt --jwt $CI_JOB_JWT_V2
- source ~/.akeyless/akeyless_env.sh
script:
- echo "Secret=[$DEMO_SECRET]"
- echo "Fetching Secrets is Easy [$MY_SECRET]"
GitLab Version 15 and higher
Starting from v15 GitLab supports
CI_JOB_JWT_V2, for older versions you can use the legacy environmentCI_JOB_JWTinstead.
- Make sure to replace the path to the relevant secrets as well as the access-id value with your matching OIDC access-id (as appears in Akeyless console)
Please note
The image is akeyless/ci_ base which is a public docker image based on ruby:2.4 that contains Akeyless CLI as well as other essential components.
- After editing the file should look like this:
- After running the job the result should look like this:
- Success! - the secrets are accessible to use within the job logic (in this example they are just being printed).
Updated about 2 months ago