Introduction

GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager including wiki, issue-tracking and continuous integration and deployment pipeline features.

Prerequisite

1. To work with Akeyless GitLab plugin, please create an Authentication Method type of OIDC/JWT in Akeyless Vault. with the following parameters:

--name your authentication method name in Akeyless Vault.

--jwks-uri The URL to the JWKS that contains the public keys that should be used for JWT verification, for GitLab please use: https://gitlab.com/-/jwks.

--unique-identifier A unique ID, usually a value such as email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.

$ akeyless create-auth-method-oauth2 --name MyJWTAuth \
--jwks-uri https://gitlab.com/-/jwks \
--unique-identifier user_login

2. Create an Access Role to provide access to your authentication method.

$ akeyless create-role --name MyJWTRole

3. Associate your new Role with your Authentication Method. Please make sure to provide the matching sub claim for your Authentication.

$ akeyless assoc-role-am --role-name MyJWTRole \
--am-name MyJWTAuth \
--sub-claims user_login=<YOUR GitLab USERNAME> 

$ akeyless set-role-rule --role-name MyJWTRole \
--path /Path/To/your/secret/'*' \
--capability read --capability list

Integrating Akeyless Cloud Vault with GitLab CI/CD

1. Open your GitLab project and make sure you have a yaml file named .gitlab-ci.yml
   As an example update it to contain the following steps:

akeyless:
  image: 
    name:  akeyless/ci_base
  before_script:
    - export DEMO_SECRET=akeyless://demo-secret
    - export MY_SECRET=akeyless://mySecret
    - akeyless auth --access-id p-xxxxxxxxxxxx --access-type jwt --jwt $CI_JOB_JWT
    - source ~/.akeyless/akeyless_env.sh
  script:
    - echo "Secret=[$DEMO_SECRET]"
    - echo "Fetching Secrets is Easy [$MY_SECRET]"

2. Make sure to replace the path to the relevant secrets as well as the access-id value with your matching OIDC access-id (as appears in Akeyless console)

📘

Please note

The image is akeyless/ci_ base which is a public docker image based on ruby:2.4 that contains Akeyless CLI as well as other essential components.

3. After editing the file should look like this:

4. After running the job the result should look like this:

5. Success! - the secrets are accessible to use within the job logic (in this example they are just being printed).