diff options
Diffstat (limited to 'doc/ci/examples/authenticating-with-hashicorp-vault/index.md')
-rw-r--r-- | doc/ci/examples/authenticating-with-hashicorp-vault/index.md | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md index 5fca3513ff7..389429f3f0f 100644 --- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md +++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md @@ -277,3 +277,19 @@ read_secrets: ``` ![read_secrets production](img/vault-read-secrets-production.png) + +### Limit token access to Vault secrets + +You can control `CI_JOB_JWT` access to Vault secrets by using Vault protections +and GitLab features. For example, restrict the token by: + +- Using Vault [bound_claims](https://www.vaultproject.io/docs/auth/jwt#bound-claims) + for specific groups using `group_claim`. +- Hard coding values for Vault bound claims based on the `user_login` and `user_email` + of specific users. +- Setting Vault time limits for TTL of the token as specified in [`token_explicit_max_ttl`](https://www.vaultproject.io/api/auth/jwt#token_explicit_max_ttl), + where the token expires after authentication. +- Scoping the JWT to [GitLab projected branches](../../../user/project/protected_branches.md) + that are restricted to a subset of project users. +- Scoping the JWT to [GitLab projected tags](../../../user/project/protected_tags.md), + that are restricted to a subset of project users. |