FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects

Draft: feat: added GCP secret manager support using Workload Identity Federation.

Open Roy Harrington requested to merge issue-60-gcp-secret-manager-template into master
Files
2
+ 86
0
# Provides access to a secret stored in Google Cloud Secret Manager, utilising Workload Identity Federation.
#
# This template is intended to be generic and to be "include"-d from CI
# configurations. It has defaults specific to uis/devops, but these can be
# overridden by passing in the appropriate variables.
#
# include:
# - project: 'uis/devops/continuous-delivery/ci-templates'
# file: '/auto-devops/gcp-secret-manager.yml'
# ref: issue-60-gcp-secret-manager-template
# inputs:
# output_env_var: GITLAB_TOKEN
# secret_name: 'gitlab-rh841-demo-10731-group-10731-deploy-bot-token'
spec:
inputs:
job_prefix:
description: "The prefix to prepend to the job name. This is useful to avoid job name collisions."
type: string
default: "gitlab-token"
output_env_var:
description: "The name of the environment variable to store the secret."
type: string
secret_name:
description: "The name of the secret in Secret Manager."
type: string
secret_version:
description: "The version of the secret in Secret Manager."
type: string
default: latest
secret_project_id:
description: "The GCP project ID hosting the secret."
type: string
default: "gl-proj-factory-prod-01d25675"
wif_gcp_project_number:
description: "The GCP project number hosting the Workload Identity Federation GitLab pool."
type: number
default: 421963284348 # devops-meta-268215
wif_pool_id:
description: "The Workload Identity Federation pool ID."
type: string
default: "gitlab"
wif_provider_id:
description: "The Workload Identity Federation provider ID."
type: string
default: "uis-devops"
---
"$[[ inputs.job_prefix ]]-gcp-secret":
id_tokens:
GOOGLE_WIF_TOKEN:
aud: $WIF_AUDIENCE_CLAIM
image: eu.gcr.io/google.com/cloudsdktool/google-cloud-cli:latest
before_script:
# Create credentials file which Google SDKs use to authenticate to APIs.
- |-
echo $GOOGLE_WIF_TOKEN > $CI_BUILDS_DIR/.workload_identity.jwt
cat << EOF > $GOOGLE_APPLICATION_CREDENTIALS
{
"type": "external_account",
"audience": "$WIF_AUDIENCE_CLAIM",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "$CI_BUILDS_DIR/.workload_identity.jwt"
}
}
EOF
script:
- SECRET=$(gcloud secrets versions access $[[ inputs.secret_version ]] --secret=$[[ inputs.secret_name ]] --project=$[[ inputs.secret_project_id]])
- echo "$[[ inputs.output_env_var ]]=$SECRET" > secrets.env
artifacts:
# access: none # Awaiting new functionality in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145206
expire_in: 5 mins
reports:
dotenv:
- secrets.env
variables:
GOOGLE_APPLICATION_CREDENTIALS: $CI_BUILDS_DIR/.workload_identity.wlconfig
WIF_AUDIENCE_CLAIM: "//iam.googleapis.com/projects/$[[ inputs.wif_gcp_project_number ]]/locations/global/workloadIdentityPools/$[[ inputs.wif_pool_id ]]/providers/$[[ inputs.wif_provider_id ]]"
# This is only needed if you're using the gcloud CLI tool.
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: $GOOGLE_APPLICATION_CREDENTIALS
tags:
- $GKE_RUNNER_TAG
\ No newline at end of file
Loading