Skip to main content

Gitlab JWT Setup

Clone Docker Toolkit (Optional)

If not already done clone the docker toolkit repo

git clone https://gitlab.com/D3vbd/docker-toolkit.git ~/docker-toolkit

This will setup the toolkit in the folder ~/docker-toolkit.

We will be using the vault folder.

~/docker-toolkit/vault

Setup Vars

Set the following vars

# Vault address
export VAULT_ADDR="https://vault.localhost:8200"

# root token from startup, or a token if you have enabled a different auth method
export VAULT_TOKEN=""

# Name/Path for jwt auth method
export GITLABCI_JWT_PATH="gitlab-jwt"

JWT Auth Method

Enable the Auth Method at the path specified in $GITLABCI_JWT_PATH

vault auth enable -path=$GITLABCI_JWT_PATH jwt

Now we are going to configure this with the public gitlab info and have a default role of deployer (will create later).

vault write auth/$GITLABCI_JWT_PATH/config \
bound_issuer="https://gitlab.com" \
jwks_url="https://gitlab.com/oauth/discovery/keys" \
default_role="deployer"

JWT Auth Role

Now that we have a new auth mount we can use with gitlab jwt, we can make roles for it to use. We refereneced a deployer role as the default. Lets Create that...

warning

This Role will only exist on the auth method we created

Policy

We are going to make a policy called deployer. This will define what the user will have access to. In this example they will have access to the mounts

  • kv
  • ci
# vault write sys/policy/deployer [email protected]
vault write sys/policy/deployer policy=- <<EOF
path "kv/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "ci/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
EOF

Role

We are now going to create the role and bind policies to the role.

Lets create the deployer role and add the deployer policy.

Bound Claims: This is how the token will be used. the claims must match and glob operators are enabled. The default is set to my D3vbd gitlab group and allows all project thats exists in that group. You can restrict it more and even to a single project ID. Look at the gitlab docs for more info on thier jwt claims used on the ID Tokens.

export GITLAB_GROUP_NAME="D3vbd"
vault write auth/$GITLABCI_JWT_PATH/role/deployer - <<EOF
{
"role_type": "jwt",
"policies": ["deployer","default"],
"token_explicit_max_ttl": "1h",
"user_claim": "user_email",
"bound_claims_type": "glob",
"bound_claims": {
"namespace_path": "$GITLAB_GROUP_NAME/*"
}
}
EOF

The Auth method is now setup with the deployer role.