Use GCP Secret Manager secrets in GitLab CI/CD

DETAILS: Tier: Premium, Ultimate Offering: SaaS, self-managed

Introduced in GitLab and GitLab Runner 16.8.

You can use secrets stored in the Google Cloud (GCP) Secret Manager in your GitLab CI/CD pipelines.

The flow for using GitLab with GCP Secret Manager is:

GitLab issues an ID token to the CI/CD job.
The runner authenticates to GCP using the ID token.
GCP verifies the ID token with GitLab.
GCP issues a short-lived access token.
The runner accesses the secret data using the access token.
GCP checks IAM permission on the access token's principal.
GCP returns the secret data to the runner.

To use GitLab with GCP Secret Manager, you must:

Have secrets stored in GCP Secret Manager.
Configure GCP Workload Identity Federation to include GitLab as an identity provider.
Configure GCP IAM permissions to grant access to GCP Secret Manager.
Configure GitLab CI/CD with GCP Secret Manager.

Configure GCP IAM Workload Identity Federation (WIF)

GCP IAM WIF must be configured to recognize ID tokens issued by GitLab and assign an appropriate principal to them. The principal is used to authorize access to the Secret Manager resources:

In GCP Console, go to IAM & Admin > Workload Identity Federation.
Select CREATE POOL and create a new identity pool with a unique name, for example gitlab-pool.
Select ADD PROVIDER to add a new OIDC Provider to the Identity Pool with a unique name, for example gitlab-provider.
1. Set Issuer (URL) to the GitLab URL, for example https://gitlab.com.
2. Select Default audience, or select Allowed audiences for a custom audience, which is used in the aud for the GitLab CI/CD ID token.
Under Attribute Mapping, create the following mappings, where:
- attribute.X is the name of the attribute you want to be present on Google's claims.
- assertion.X is the value to extract from the GitLab claim.
Attribute (on Google) Assertion (from GitLab)

google.subject assertion.sub

attribute.gitlab_project_id assertion.project_id

Attribute (on Google)	Assertion (from GitLab)
`google.subject`	`assertion.sub`
`attribute.gitlab_project_id`	`assertion.project_id`

Grant access to GCP IAM principal

After setting up WIF, you must grant the WIF principal access to the secrets in Secret Manager.

In GCP Console, go to IAM & Admin > IAM.
Select GRANT ACCESS to grant access to the principal set created through the WIF provider. The external identity format is:
```
principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.gitlab_project_id/GITLAB_PROJECT_ID
```
In this example:
- PROJECT_NUMBER: Your Google Cloud project number (not ID) which can be found in the Project's dashboard.
- POOL_ID: The ID (not name) of the Workload Identity Pool created in the first section, for example gitlab-pool.
- GITLAB_PROJECT_ID: The GitLab project ID found on the project overview page.
Assign the role Secret Manager Secret Accessor.
(Optional) Select IAM condition (Optional) to add an IAM condition. Under Condition Builder, you can add conditions. For example, you could add two AND conditions:
- First condition:
  - Condition type: Type
  - Operator: is
  - Resource type: secretmanager.googleapis.com/SecretVersion
- Second condition:
  - Condition type: Name
  - Operator: Starts with
  - Value: The pattern of secrets that you want to grant access to.

You can add additional IAM conditions for fine-grained access controls, including accessing secrets with names starting with the project name.

Configure GitLab CI/CD to use GCP Secret Manager secrets

You must add these CI/CD variables to provide details about your GCP Secret Manager:

GCP_PROJECT_NUMBER: The GCP Project Number.
GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID: The WIF Pool ID, for example gitlab-pool.
GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID: The WIF Provider ID, for example gitlab-provider.

Then you can use secrets stored in GCP Secret Manager in CI/CD jobs by defining them with the gcp_secret_manager keyword:

job_using_gcp_sm:
  id_tokens:
    GCP_ID_TOKEN:
      # `aud` must match the audience defined in the WIF Identity Pool.
      aud: https://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID}
  secrets:
    DATABASE_PASSWORD:
      gcp_secret_manager:
        name: my-project-secret  # This is the name of the secret defined in GCP Secret Manager
        version: 1               # optional: default to `latest`.
      token: $GCP_ID_TOKEN

Troubleshooting

`The size of mapped attribute google.subject exceeds the 127 bytes limit` error

A long merge request branch name can cause a job to fail with the following error if the assertion.sub attribute is more than 127 characters:

ERROR: Job failed (system failure): resolving secrets: failed to exchange sts token: googleapi: got HTTP response code 400 with body:
{"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit.
Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}

For example, for a gitlab-org/gitlab branch, the payload would be project_path:gitlab-org/gitlab:ref_type:branch:ref:{branch_name}, so the branch name should be 76 characters or less.