Add aud claim to CI_JOB_JWT to support Terraform
Problem to solve
The Vault integration introduced in 12.10 is really nice and a long time coming. However, when trying to provision a JWT role through Terraform, it requires a bound_audiences claim but the JWT that comes from CI_JOB_JWT does not provide such a claim therefore making it impossible to use Terraform to provision a role that can be used in Gitlab. Therefore I would like to see an aud claim added to the CI_JOB_JWT payload to support the ability to use Terraform.
Intended users
Developers building CI/CD pipelines would use this.
User experience goal
A user should be able to use Terraform to create JWT roles that Gitlab CI jobs can use to get a Vault token with a bound_audiences claim.
Proposal
Since the aud
claim is supposed to identify the recipient of the JWT, perhaps we can set this to the base Vault address that is housing the secrets that Gitlab is retrieving from. This could be provided in a group or project level CI/CD variable called VAULT_ADDR
which needs to be provided anyway when integrating with Vault in a pipeline. If the presence of the variable exists, add an aud
claim to the CI_JOB_JWT payload.
Further details
Right now, I have to create the roles separately using the Vault CLI to bypass Terraform's requirement that a bound_audiences
claim be present on the jwt role resource. This change will allow us to have a fully automated solution for provisioning secrets management for teams.
Permissions and Security
Don't see any additional permissions or security needs beyond what is currently in place.
Documentation
Terraform requirements for JWT Auth role: https://www.terraform.io/docs/providers/vault/r/jwt_auth_backend_role.html
Availability & Testing
Any change to the CI_JOB_JWT payload would need to be regression tested but since it's a small additive change I would think the testing effort would not be very large.
What does success look like, and how can we measure that?
Success would be demonstrating a fully automated solution using Terraform to provision a new JWT role that Gitlab can use in pipelines.
What is the type of buyer?
<