Update vault.md describing how to prevent possible security vulnerability (!55060) · Merge requests · GitLab.org / GitLab

Emanuele di Vizio requested to merge emanuele.divizio/gitlab:master into master Feb 24, 2021

What does this MR do?

As described in https://gitlab.com/gitlab-org/gitlab/-/issues/322719, if a user using the public GitLab instance follows the vault integration to the letter, it results in a security vulnerability.

This is because enabling oidc with oidc_discovery_url="https://gitlab.com" by default allows anyone with a public GitLab account to login into the Vault instance.

Luckily, this can easily be fixed by adding bound_claims scoped to your group ID or whatever is preferred. Example given below.

vault write auth/oidc/role/gitlab -<<EOF
{
  "user_claim": "sub",
  "allowed_redirect_uris": "your_vault_instance_redirect_url",
  "bound_audiences": "your_application_id",
  "oidc_scopes": "openid",
  "role_type": "oidc",
  "policies": "gitlab",
  "ttl": "1h",
  "bound_claims": { "groups": ["yourGroup/yourSubgrup"] }
}
EOF

Conformity

Edited Feb 24, 2021 by Emanuele di Vizio

Update vault.md describing how to prevent possible security vulnerability

What does this MR do?

Conformity

Merge request reports