GitLab Plugin

GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager including wiki, issue-tracking and continuous integration and deployment pipeline features.

Each job has JSON Web Token (JWT) provided as CI/CD variable named CI_JOB_JWT_V2. This JWT can be used to authenticate with Akeyless.


  1. To work with Akeyless GitLab plugin, please create an Authentication Method type of OIDC/JWT in Akeyless Vault. with the following parameters:

--name your authentication method name in Akeyless Vault.

--jwks-uri The URL to the JWKS that contains the public keys that should be used for JWT verification, for GitLab please use:

--unique-identifier A unique ID, usually a value such as email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.

akeyless create-auth-method-oauth2 --name MyJWTAuth \
--jwks-uri \
--unique-identifier user_login
  1. Create an Access Role to provide access to your authentication method.
akeyless create-role --name MyJWTRole
  1. Associate your new Role with your Authentication Method. Please make sure to provide the matching sub claim for your Authentication.
akeyless assoc-role-am --role-name MyJWTRole \
--am-name MyJWTAuth \
--sub-claims user_login=<YOUR GitLab USERNAME>

Set permissions:

akeyless set-role-rule --role-name MyJWTRole \
--path /Path/To/your/secret/'*' \
--capability read --capability list

Integrating Akeyless Cloud Vault with GitLab CI/CD

  1. Open your GitLab project and make sure you have a yaml file named .gitlab-ci.yml
    As an example update it to contain the following steps:
    name:  akeyless/ci_base
    - export DEMO_SECRET=akeyless://demo-secret
    - export MY_SECRET=akeyless://mySecret
    - export VAULT_ADDR= 
    - akeyless auth --access-id p-xxxxxxxxxxxx --access-type jwt --jwt $CI_JOB_JWT_V2
    - source ~/.akeyless/
    - echo "Secret=[$DEMO_SECRET]"
    - echo "Fetching Secrets is Easy [$MY_SECRET]"


GitLab Version 15 and higher

Starting from v15 GitLab supports CI_JOB_JWT_V2, for older versions you can use the legacy environment CI_JOB_JWT instead.

  1. Make sure to replace the path to the relevant secrets as well as the access-id value with your matching OIDC access-id (as appears in Akeyless console)


Please note

The image is akeyless/ci_ base which is a public docker image based on ruby:2.4 that contains Akeyless CLI as well as other essential components.

  1. After editing the file should look like this:
  1. After running the job the result should look like this:
  1. Success! - the secrets are accessible to use within the job logic (in this example they are just being printed).