As a part of evaluating Google Secret Manager Integration with GitLaB SaaS (premium) for our organization, for this we setup a simple pipeline to resolve docker password stored in GCP Secret Manager, then to have a successful docker login with the resolved credentials
However, the secrets are not getting resolved and pipeline execution is failing
Reference: Use GCP Secret Manager secrets in GitLab CI/CD | GitLab
Observation
- During pipeline execution can see “WARNING: Not resolved: no resolver that can handle the secret”
- The pipeline execution is failing i.e the docker login failing due to GCP secret manger not getting resolved.
Running with gitlab-runner 16.6.0~beta.105.gd2263193 (d2263193)
[2](#L2) on blue-3.saas-linux-small-amd64.runners-manager.gitlab.com/default zxwgkjAP, system ID: s_d5d3abbdfd0a
[3](#L3) feature flags: FF_USE_IMPROVED_URL_MASKING:true
[4](#L4)Resolving secrets00:00
[5](#L5)Resolving secret "password"...
[6](#L6)WARNING: Not resolved: no resolver that can handle the secret
[7](#L7)Preparing the "docker+machine" executor00:10
[8](#L8)Using Docker executor with image docker ...
[9](#L9)Pulling docker image docker ...
[10](#L10)Using docker image sha256:87df94ebeb90e02117092dfd9df849abdbffb11c0c2c750017e9ad8438512748 for docker with digest docker@sha256:915cd1624f521b6337f135075f712c8fb14c0b151595c6144d7ce05d2f257869 ...
[11](#L11)Preparing environment00:03
[12](#L12)Running on runner-zxwgkjap-project-54583187-concurrent-0 via runner-zxwgkjap-s-l-s-amd64-1707763065-edd8dd5f...
[13](#L13)Getting source from Git repository00:01
[14](#L14)Fetching changes with git depth set to 20...
[15](#L15)Initialized empty Git repository in /builds/xxxx/xxxxxxx/gcp-secret-mgr/.git/
[16](#L16)Created fresh repository.
[17](#L17)Checking out d6b16fbc as detached HEAD (ref is main)...
[18](#L18)Skipping Git submodules setup
[19](#L19)$ git remote set-url origin "${CI_REPOSITORY_URL}"
[20](#L20)Executing "step_script" stage of the job script00:00
[21](#L21)Using docker image sha256:87df94ebeb90e02117092dfd9df849abdbffb11c0c2c750017e9ad8438512748 for docker with digest docker@sha256:915cd1624f521b6337f135075f712c8fb14c0b151595c6144d7ce05d2f257869 ...
[22](#L22)$ docker login -u xxxxx docker.io -p $password
[23](#L23)flag needs an argument: 'p' in -p
[24](#L24)See 'docker login --help'.
[25](#L25)Cleaning up project directory and file based variables00:01
[26](#L26)ERROR: Job failed: exit code 125
ci.yaml
job_using_gcp_sm:
image: docker
id_tokens:
GCP_ID_TOKEN:
# `aud` must match the audience defined in the WIF Identity Pool.
aud: https://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID}
secrets:
password:
gcp_secret_manager:
name: DOCKERHUB_PASSWD # This is the name of the secret defined in GCP Secret Manager
version: 1 # optional: default to `latest`.
token: $GCP_ID_TOKEN
script:
- docker login -u xxxxx docker.io -p $password
(along with Use GCP Secret Manager secrets in GitLab CI/CD | GitLab, for GCP configuration referred GCP Secrets Manager native support: Documentation (#428403) · Issues · GitLab.org / GitLab · GitLab as well )