diff options
Diffstat (limited to 'doc/ci/examples/authenticating-with-hashicorp-vault/index.md')
-rw-r--r-- | doc/ci/examples/authenticating-with-hashicorp-vault/index.md | 72 |
1 files changed, 49 insertions, 23 deletions
diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md index fc1e06e91c6..65fe9fb44d4 100644 --- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md +++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md @@ -32,31 +32,57 @@ You must replace the `vault.example.com` URL below with the URL of your Vault se Each job has JSON Web Token (JWT) provided as CI/CD variable named `CI_JOB_JWT`. This JWT can be used to authenticate with Vault using the [JWT Auth](https://www.vaultproject.io/docs/auth/jwt#jwt-authentication) method. -The JWT's payload looks like this: +The following fields are included in the JWT: + +| Field | When | Description | +| ----------------------- | ------ | ----------- | +| `jti` | Always | Unique identifier for this token | +| `iss` | Always | Issuer, the domain of your GitLab instance | +| `iat` | Always | Issued at | +| `nbf` | Always | Not valid before | +| `exp` | Always | Expires at | +| `sub` | Always | Subject (job ID) | +| `namespace_id` | Always | Use this to scope to group or user level namespace by ID | +| `namespace_path` | Always | Use this to scope to group or user level namespace by path | +| `project_id` | Always | Use this to scope to project by ID | +| `project_path` | Always | Use this to scope to project by path | +| `user_id` | Always | ID of the user executing the job | +| `user_login` | Always | Username of the user executing the job | +| `user_email` | Always | Email of the user executing the job | +| `pipeline_id` | Always | ID of this pipeline | +| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) | +| `job_id` | Always | ID of this job | +| `ref` | Always | Git ref for this job | +| `ref_type` | Always | Git ref type, either `branch` or `tag` | +| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | +| `environment` | Job is creating a deployment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | +| `environment_protected` | Job is creating a deployment |`true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | + +Example JWT payload: ```json { - "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558", # Unique identifier for this token - "iss": "gitlab.example.com", # Issuer, the domain of your GitLab instance - "iat": 1585710286, # Issued at - "nbf": 1585798372, # Not valid before - "exp": 1585713886, # Expire at - "sub": "job_1212", # Subject (job id) - "namespace_id": "1", # Use this to scope to group or user level namespace by id - "namespace_path": "mygroup", # Use this to scope to group or user level namespace by path - "project_id": "22", # - "project_path": "mygroup/myproject", # - "user_id": "42", # Id of the user executing the job - "user_login": "myuser" # GitLab @username - "user_email": "myuser@example.com", # Email of the user executing the job - "pipeline_id": "1212", # - "pipeline_source": "web", # Pipeline source, see: https://docs.gitlab.com/ee/ci/yaml/#common-if-clauses-for-rules - "job_id": "1212", # - "ref": "auto-deploy-2020-04-01", # Git ref for this job - "ref_type": "branch", # Git ref type, branch or tag - "ref_protected": "true", # true if this git ref is protected, false otherwise - "environment": "production", # Environment this job deploys to, if present (GitLab 13.9 and later) - "environment_protected": "true" # true if deployed environment is protected, false otherwise (GitLab 13.9 and later) + "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558", + "iss": "gitlab.example.com", + "iat": 1585710286, + "nbf": 1585798372, + "exp": 1585713886, + "sub": "job_1212", + "namespace_id": "1", + "namespace_path": "mygroup", + "project_id": "22", + "project_path": "mygroup/myproject", + "user_id": "42", + "user_login": "myuser", + "user_email": "myuser@example.com", + "pipeline_id": "1212", + "pipeline_source": "web", + "job_id": "1212", + "ref": "auto-deploy-2020-04-01", + "ref_type": "branch", + "ref_protected": "true", + "environment": "production", + "environment_protected": "true" } ``` @@ -204,7 +230,7 @@ read_secrets: ``` NOTE: -If you're using a Vault instance provided by HashiCorp Cloud Platform, +If you're using a Vault instance provided by HashiCorp Cloud Platform, you need to export the `VAULT_NAMESPACE` variable. Its default value is `admin`. ![read_secrets staging](img/vault-read-secrets-staging.png) |