GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager including wiki, issue-tracking and continuous integration and deployment pipeline features.
- To work with Akeyless GitLab plugin, please create an Authentication Method type of OIDC/JWT in Akeyless Vault. with the following parameters:
--name your authentication method name in Akeyless Vault.
--jwks-uri The URL to the JWKS that contains the public keys that should be used for JWT verification, for GitLab please use:
--unique-identifier A unique ID, usually a value such as email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.
$ akeyless create-auth-method-oauth2 --name MyJWTAuth \ --jwks-uri https://gitlab.com/-/jwks \ --unique-identifier user_login
- Create an Access Role to provide access to your authentication method.
$ akeyless create-role --name MyJWTRole
- Associate your new Role with your Authentication Method. Please make sure to provide the matching sub claim for your Authentication.
$ akeyless assoc-role-am --role-name MyJWTRole \ --am-name MyJWTAuth \ --sub-claims user_login=<YOUR GitLab USERNAME> $ akeyless set-role-rule --role-name MyJWTRole \ --path /Path/To/your/secret/'*' \ --capability read --capability list
- Open your GitLab project and make sure you have a yaml file named .gitlab-ci.yml
As an example update it to contain the following steps:
akeyless: image: name: akeyless/ci_base before_script: - export DEMO_SECRET=akeyless://demo-secret - export MY_SECRET=akeyless://mySecret - akeyless auth --access-id p-xxxxxxxxxxxx --access-type jwt --jwt $CI_JOB_JWT - source ~/.akeyless/akeyless_env.sh script: - echo "Secret=[$DEMO_SECRET]" - echo "Fetching Secrets is Easy [$MY_SECRET]"
- Make sure to replace the path to the relevant secrets as well as the access-id value with your matching OIDC access-id (as appears in Akeyless console)
The image is akeyless/ci_ base which is a public docker image based on ruby:2.4 that contains Akeyless CLI as well as other essential components.
- After editing the file should look like this:
- After running the job the result should look like this:
- Success! - the secrets are accessible to use within the job logic (in this example they are just being printed).
Updated about a month ago