Gitlab CI Runner token expiry and registring

I have the following setup

  • AWS EC2 Autoscaling group for my CI runners
  • One gitlab runner registered
  • AWS Launch template has user data so that on first boot it installs gitlab runner and reads from an AWS Secret the token from the previous step
  • (Other configuration exists so that before termination of an instance the runner is deregistered from gitlab).

This works fine until after a couple of weeks the autoscaling group needs an increase or for another reason goes through a refresh of one or more items.
Because at this time the token in the vault will be expired (I think running runners would have rotated the token correctly).

So I am wondering if there is a best practices for this setup, as I have now set the token expiry to be 12 months.

I guess I need to configure in the AWS manager token rotation with a script, but I don’t find any documentation on how to do so.

GitLab Runner token means to be static, if you save it in AWS Secrets Manager with rotation AWS Secrets manager will rotate it not knowing that it shouldn’t.

The simplest solution is to simply turn of secret rotation for that secret.