diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-17 09:07:11 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-17 09:07:11 +0300 |
commit | 75621c94b5dbe233edd72c3d8cc602fed25e84d2 (patch) | |
tree | a38d832241e66a2e296e276493bff0260bfc9712 /doc/ci | |
parent | 9bf8cb8d34039f3cef9e1b2f812ce634f2bebe69 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/ci')
-rw-r--r-- | doc/ci/cloud_services/google_cloud/index.md | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/doc/ci/cloud_services/google_cloud/index.md b/doc/ci/cloud_services/google_cloud/index.md index 5ed22883518..d99b50b5013 100644 --- a/doc/ci/cloud_services/google_cloud/index.md +++ b/doc/ci/cloud_services/google_cloud/index.md @@ -114,6 +114,17 @@ the assertion in the previous section. After you configure the OIDC and role, the GitLab CI/CD job can retrieve a temporary credential from the [Google Cloud Security Token Service (STS)](https://cloud.google.com/iam/docs/reference/sts/rest). +Add `id_tokens` to your CI/CD job: + +```yaml +job: + id_tokens: + GITLAB_OIDC_TOKEN: + aud: https://gitlab.example.com +``` + +Get temporary credentials using the ID token: + ```shell PAYLOAD="$(cat <<EOF { @@ -122,7 +133,7 @@ PAYLOAD="$(cat <<EOF "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token", "scope": "https://www.googleapis.com/auth/cloud-platform", "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt", - "subjectToken": "${CI_JOB_JWT_V2}" + "subjectToken": "${GITLAB_OIDC_TOKEN}" } EOF )" @@ -142,8 +153,7 @@ Where: - `PROJECT_NUMBER` is your Google Cloud project number (not name). - `POOL_ID` is the ID of the Workload Identity Pool created in the first section. - `PROVIDER_ID` is the ID of the Workload Identity Provider created in the second section. -- `CI_JOB_JWT_V2` is injected into the CI/CD job by GitLab. For more information about - this variable, read [Connect to cloud services](../index.md). +- `GITLAB_OIDC_TOKEN` is an OIDC [ID token](../../yaml/index.md#id_tokens). You can then use the resulting federated token to impersonate the service account created in the previous section: |