GitLab OIDC Workload Identity
Definition
GitLab OIDC Workload Identity allows GitLab CI/CD jobs to authenticate with cloud providers using OpenID Connect (OIDC) tokens. This method enhances security by eliminating the need for long-lived cloud credentials in GitLab repositories. Instead, it leverages short-lived, dynamically generated tokens that are scoped to specific jobs, reducing the risk of credential leakage.
Secure Settings Example
# .gitlab-ci.yml
stages:
- deploy
deploy:
stage: deploy
image: google/cloud-sdk:latest
script:
- gcloud auth login --brief --update-adc
- gcloud config set project $GOOGLE_PROJECT_ID
- gcloud app deploy
environment:
name: production
only:
- main
variables:
GOOGLE_APPLICATION_CREDENTIALS: /path/to/service-account.json
OIDC_TOKEN: $CI_JOB_JWT
Insecure Settings Example
# .gitlab-ci.yml
stages:
- deploy
deploy:
stage: deploy
image: google/cloud-sdk:latest
script:
- gcloud auth activate-service-account --key-file /path/to/long-lived-service-account.json
- gcloud config set project $GOOGLE_PROJECT_ID
- gcloud app deploy
environment:
name: production
only:
- main
variables:
GOOGLE_APPLICATION_CREDENTIALS: /path/to/long-lived-service-account.json