Gitlab CI Login

Create ID Token in Gitlab pipeline

.common-jwt: 
  id_tokens:
    CI_JOB_JWT:
      aud: https://gitlab.com

reference in job or config with extends

.config:
  extends: .common-jwt 

Job/Config Setup

Add Vault Namespace, auth method, and role to config

Auth method is the path of the auth backend we are using (jwt-v2)

.config:
  extends: .common-jwt 
  variables:
    VAULT_ROLE: "demo"
    AUTH_METHOD: "gitlab-jwt"

.login_vault: &vault_login
    - export VAULT_TOKEN=$(vault write -field=token auth/${AUTH_METHOD}/login role=$VAULT_ROLE jwt=$CI_JOB_JWT)

Now We will bring it all together in a job that uses all these

validate_vault_token:
    stage: validate
    extends: .config
    before_script:
        - *vault_login
        # Use token
        - vault token lookup
        - export TOKEN=$(vault kv get -field=client_id creds/kubernetes)
        - if [[ -z "${TOKEN}" ]]; then echo "TOKEN missing"; exit 1; fi
    script:
        - echo "using ${TOKEN}, dont actually echo your token" >&2 

Job/Config Setup​

Job/Config Setup