FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects

Add project-factory to GKE secrets page

Merged Add project-factory to GKE secrets page
dev-update-gitlab-runner-secret-docs into master
1 unresolved thread
Merged Mike Knee requested to merge dev-update-gitlab-runner-secret-docs into master
1 unresolved thread
Compare
and
1 file
+ 30
1
Compare changes
  • Side-by-side
  • Inline
docs/howtos/gke-gitlab-runners/access-secrets-in-ci-jobs-using-impersonation.md
+ 30
1
@@ -56,12 +56,41 @@ job itself.
image: registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/gcloud-docker:latest
script: |
my_secret=$(gcloud --impersonate-service-account=secret_accessor@<project id>.iam.gserviceaccount.com \
--project <project id> secrets versions access --secret <existing secret id> latest)
--project <project id> secrets versions access latest --secret=<existing secret id>)
tags:
- $GKE_RUNNER_TAG
```
<!-- markdownlint-enable MD013 -->
### GitLab Project Factory Configuration
For [gitlab-project-factory](https://gitlab.developers.cam.ac.uk/uis/devops/infra/gitlab-project-factory)
projects this is simplified greatly, the project factory provides a service
account to access secrets, and a group level gitlab access token that will be
stored in the secret manager.
These are then made available as pre-defined CI/CD variables, and can be
accessed by jobs running GKE runners.
To access the general purpose gitlab access token:
<!-- markdownlint-disable MD013 -->
```yaml
job1:
image: registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/gcloud-docker:latest
script: |
my_secret=$(gcloud --impersonate-service-account=${GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT} \
--project <project id> secrets versions access \
${GITLAB_ACCESS_TOKEN_SECRET_ID}/versions/latest)
tags:
- $GKE_RUNNER_TAG
```
<!-- markdownlint-enable MD013 -->
Note that the `GITLAB_ACCESS_TOKEN_SECRET_ID` is the fully qualified resource
id, so the version must be accessed using the full resource URI as described
above.
## Summary
In this guide you've learnt how to create a dedicated Google IAM service account with permission to