-
Notifications
You must be signed in to change notification settings - Fork 544
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GitLab Support for Ambient Credential Detection #1254
Comments
There's some discussion over here: sigstore/fulcio#243 The tokens are currently missing an audience so we can't use them directly. It sounds like that might be in progress though! |
Yeah, we should NOT do this before the public Fulcio supports gitlab via |
If possible, I think using If Fulcio is passed our https://docs.gitlab.com/ee/api/jobs.html#get-job-tokens-job One desirable property of the I understand this is still not as ideal as crafting a JWT with a specific I'm pushing on adding support for custom To reiterate, [edit]: this is being tracked here on our side: https://gitlab.com/gitlab-org/gitlab/-/issues/294291 Let me know if this is a workable solution or if you have any questions! |
@marshall007 I am curious what you anticipate Fulcio would do with this information?
This is the aspect I'm struggling with, since we're talking about granting access to sign against Fulcio without that being explicitly declared. 😅
Yeah, I totally get it and empathize with the goal, but I still am not seeing how we differentiate between The scenario I'm imagining is: in a hypothetical future |
Here's a thought, which might be a decent compromise, since my major issue is folks opting into the dangers here... We could teach Fulcio to do what you suggest, which would enable folks to opt-in to this functionality in their own private Fulcio instances. However, for the "public good" Fulcio instance, we would continue to require Folks using their own Fulcio could still: cosign sign --fulcio-url ... --identity-token ${CI_JOB_JWT} IMAGE However, this would only work with cosign sign IMAGE |
@mattmoor to be clear
I can fully appreciate not wanting to "teach" Fulcio how to interpret GitLab-specific opaque job tokens. I was just presenting it as a possible backwards-compatible solution for all the |
Completed by @wlynch |
Description
There are some environment variables provided by GitLab to the runner environment which we can use to authenticate.
CI_JOB_JWT: A RS256 JSON web token to authenticate with third party systems that support JWT authentication, for example HashiCorp’s Vault. CI_JOB_JWT_V2: alpha: A newly formatted RS256 JSON web token to increase compatibility. Similar to CI_JOB_JWT, except the issuer (iss) claim is changed from gitlab.com to https://gitlab.com, sub has changed from job_id to a string that contains the project path, and an aud claim is added. Format is subject to change. CI_JOB_TOKEN: A token to authenticate with certain API endpoints. The token is valid as long as the job is running.
👉 https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
cc: @dlorenc @Dentrax @orhun
The text was updated successfully, but these errors were encountered: