Gitlab CI external secrets

Cant use external secrets on self managed enterpise gitlab (16.2.1-ee.0
Is external secrets only for premium users ?
Im trying to deploy gitlab + vault (by hashicorp), but this doesnt work for me.
My docker-compose.yml

version: '3.6'
services:
  traefik:
    image: traefik:v2.10
    command:
     - "--api.insecure=true"
     - "--providers.docker=true"
     - "--providers.docker.exposedByDefault=false"
     - "--entrypoints.web.address=:80"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.rule=Host(`traefik.me.local`)"
      - "traefik.docker.network=sample-gitlab-traefik-vault-default"
    container_name: "traefik"
    networks: [mainnet]
    ports:
      - "80:80"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
  vault:
    image: vault:1.13.3
    container_name: vault
    networks: [mainnet]
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vault.entrypoints=web"
      - "traefik.http.routers.vault.rule=Host(`vault.me.local`)"
    volumes:
      - ./file:/vault/file:rw
      - ./vault/:/vault/config:rw
    cap_add:
      - IPC_LOCK
    entrypoint: vault server -config=/vault/config/vault.json
    environment:
      VAULT_API_ADDR: "http://vault.me.local:8200"
  git:
    image: 'gitlab/gitlab-ee:16.2.1-ee.0'
    restart: always
    container_name: git
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.git.entrypoints=web"
      - "traefik.http.routers.git.rule=Host(`git.me.local`)"
      - "traefik.http.routers.git.service=git"
      - "traefik.http.services.git.loadbalancer.server.port=80"
    environment:
      GITLAB_ROOT_PASSWORD: "01234567"
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://git.me.local'
        nginx['listen_port'] = 80
        # gitlab_rails['initial_root_password'] = '01234567'
    volumes:
      - './gitlab/config:/etc/gitlab'
      - './gitlab/logs:/var/log/gitlab'
      - './gitlab/data:/var/opt/gitlab'
    shm_size: '256m'
    networks: [mainnet]

networks:
  mainnet:
    driver: bridge

My gitlab-ci.yml

variables:
    VAULT_SERVER_URL: http://vault.me.local
    VAULT_AUTH_ROLE: main
    VAULT_AUTH_PATH: jwt
build:
    secrets:
        SECRET:
            vault: "path/key@kv"
            file: false
    script:
        - echo "ITS MY"
        - echo $SECRET
        - curl http://vault.me.local
        - >
            curl
            --request POST
            --data "{\"jwt\": \"$CI_JOB_JWT\", \"role\": \"main\"}"
            $VAULT_SERVER_URL/v1/auth/jwt/login
        - docker exec -e CI_JOB_JWT=$CI_JOB_JWT vault sh -c 'export VAULT_ADDR="http://vault.me.local:8200" && export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=main jwt=$CI_JOB_JWT)" && export KEY="$(vault kv get -field=key kv/path)" && echo $KEY'

This is job log, but there is no JOB stage Resolving secrets

image1734×1080 146 KB

Read:

• Using external secrets in CI | GitLab
• Tutorial: Update HashiCorp Vault configuration to use ID Tokens | GitLab
• Authenticating and reading secrets with HashiCorp Vault (Deprecated) | GitLab
• anyother stackoverflow and etc

secrets is Premium and Ultimate only.