For eons there have only been three ways to “secure” your build platform or servers. All of them have been historically bad, for different reasons:
The perfect solution is if GitLab could directly authenticate with AWS and you give gitlab access directly to the resources it needs, in the context of your job. And now it exists.
Gitlab generates signed JWTs that you can use with AWS to get temporary access tokens. (You don’t need any nonsense with Hashicorp’s Vault, you’ll notice we can get this working without it!)
Gitlab’s tokens look like this:
Now it’s just a matter of setting up AWS to accept that token and allow it to generate an STS token.
We’ll be using AWS IAM’s AssumeRoleWithWebIdentity to convert the token into an identity
Create Identity Provider:
Update the Trust Policy to restrict the valid token sources:
Okay it almost works, but there is one very small problem. The aud property of the token isn’t valid! So you’ll actually get this error
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Missing a required claim: aud!!! (Relevant Gitlab open issue)
So what can we do about it?
We just need to convert the JWT we get to one with the aud claim. It isn’t hard to do this by running a public service which accepts gitlab JWTs, there is a slightly easier way.
Authorization URLto be
Create a new connection in AWS that matches the Authress connection. The provider url will be your account domain from the connection configuration and the AWS
Audience will be the
connectionId from Authress.
Just need to swap out a couple of lines, also using js here as it is much simpler to execute that raw bash.