Create Identity API to pass tokens and secrets to GitLab Projects
Problem to solve
During our CI/CD builds we would like to interact with a variety of services (e.g. deploying code, recording change, triggering monitoring downtime, etc.). All of these services require authentication to ensure only certain projects can perform certain operations.
Since each build is given a unique CI_JOB_TOKEN
which authenticates the build to the GitLab API, we were hoping to be able to trade that for a temporary credential that works with the services listed above. For our credential service to authenticate using the Job Token, we need to be able to validate the token works and which job/project/user it belongs to.
This could be used as an authentication mechanism to Vault as it can prove which job/pipeline/project the caller is ensuring tokens are passed to the appropriate areas in GitLab.
Proposal
A new API route that will return the current authenticated user or job via a 302 redirect depending on the type of token that is passed.
Using a Job Token
curl --header "JOB-TOKEN: 1234567890abcdefghij" -i https://gitlab.example.com/api/v4/whoami
HTTP/1.1 302 Found
Location: https://gitlab.example.com/api/v4/projects/1234/jobs/5678
Using a Private Token
curl --header "PRIVATE-TOKEN: 1234567890abcdefghij" -i https://gitlab.example.com/api/v4/whoami
HTTP/1.1 302 Found
Location: https://gitlab.example.com/api/v4/users/1234
Using an Expired Token
curl --header "JOB-TOKEN: abcdefghij1234567890" -i https://gitlab.example.com/api/v4/whoami
HTTP/1.1 401 Unauthorized
{"message":"401 Unauthorized"}
Further Details
- new read-only controller for identities. working endpoint of
/identity/
. - info endpoint, similar to EC2's
iam/info
, modeled very closely afterGET /user
, working endpoint ofGET /identity/info
:
-
401
if identity of caller cannot be determined (eg: due to no missing or invalid token) -
200
w/ body containing canonical ID, expirable boolean (for temporary credentials), and optional expiration date if expirable is truthy.
Details for how secrets work in the GitLab system:
What does success look like, and how can we measure that?
- An external service can identify which project/job a given Job Token belongs to (and is valid)
- Users can leverage this to integrate wit Vault for token management