From d72c75d9da30d2e2b1cb82e2562d7eead99d5c96 Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Mon, 5 Dec 2022 17:06:41 +0100 Subject: [PATCH 1/3] Add docs for `id_tokens` This commit documents the `id_tokens` keyword. It doesn't document how to use ID tokens with Vault secrets, since that functionality is not yet available to users. --- doc/ci/yaml/index.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/doc/ci/yaml/index.md b/doc/ci/yaml/index.md index 5d6f4e965ea3c2..41d1ab6f9e2661 100644 --- a/doc/ci/yaml/index.md +++ b/doc/ci/yaml/index.md @@ -1904,6 +1904,30 @@ job1: script: echo 'hello job1 script' ``` +### `id_tokens` + +> Introduced in GitLab 15.7. + +Use `id_tokens` to create [JWTs](https://www.rfc-editor.org/rfc/rfc7519) to authenticate with third party services. All +JWTs created this way are V2. The required `aud` sub-keyword is used to configure the `aud` claim for the JWT. The `aud` +can be configured either as a single string or as an array of string. + +**Example of `id_tokens`**: + +```yaml +job_with_id_tokens: + id_tokens: + ID_TOKEN_1: + aud: https://gitlab.com + ID_TOKEN_2: + aud: + - https://gcp.com + - https://aws.com + script: + - command_to_authenticate_with_gitlab $ID_TOKEN_1 + - command_to_authenticate_with_aws $ID_TOKEN_2 +``` + ### `image` Use `image` to specify a Docker image that the job runs in. -- GitLab From 15d667bff69843d820040e20d25ce5837b172d6e Mon Sep 17 00:00:00 2001 From: Marcel Amirault Date: Wed, 7 Dec 2022 12:30:46 +0000 Subject: [PATCH 2/3] Add suggestions from review --- doc/ci/yaml/index.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/ci/yaml/index.md b/doc/ci/yaml/index.md index 41d1ab6f9e2661..3cd3a76165a68e 100644 --- a/doc/ci/yaml/index.md +++ b/doc/ci/yaml/index.md @@ -1906,11 +1906,14 @@ job1: ### `id_tokens` -> Introduced in GitLab 15.7. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356986) in GitLab 15.7. -Use `id_tokens` to create [JWTs](https://www.rfc-editor.org/rfc/rfc7519) to authenticate with third party services. All -JWTs created this way are V2. The required `aud` sub-keyword is used to configure the `aud` claim for the JWT. The `aud` -can be configured either as a single string or as an array of string. +Use `id_tokens` to create [JSON web tokens (JWT)](https://www.rfc-editor.org/rfc/rfc7519) to authenticate with third party services. All +JWTs created this way are V2. The required `aud` sub-keyword is used to configure the `aud` claim for the JWT. + +**Possible inputs**: + +- - Token names with their `aud` claims. `aud` can be a single string or as an array of strings. **Example of `id_tokens`**: -- GitLab From 664c647c697253518eebcbbb870250120b6dd8df Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Wed, 7 Dec 2022 13:37:33 +0100 Subject: [PATCH 3/3] Explain JWT V2 --- doc/ci/yaml/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/ci/yaml/index.md b/doc/ci/yaml/index.md index 3cd3a76165a68e..03b9ea8fb624d7 100644 --- a/doc/ci/yaml/index.md +++ b/doc/ci/yaml/index.md @@ -1909,11 +1909,11 @@ job1: > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356986) in GitLab 15.7. Use `id_tokens` to create [JSON web tokens (JWT)](https://www.rfc-editor.org/rfc/rfc7519) to authenticate with third party services. All -JWTs created this way are V2. The required `aud` sub-keyword is used to configure the `aud` claim for the JWT. +JWTs created this way support OIDC authentication. The required `aud` sub-keyword is used to configure the `aud` claim for the JWT. **Possible inputs**: -- - Token names with their `aud` claims. `aud` can be a single string or as an array of strings. +- Token names with their `aud` claims. `aud` can be a single string or as an array of strings. **Example of `id_tokens`**: -- GitLab