Issue Description: In our GitLab CI/CD pipeline, we need to ensure that the download access to artifacts is restricted. The goal is to allow only the jobs within the pipeline to utilize the artifacts, particularly the dotenv artifact which contains sensitive secret values. This restriction is crucial to maintain the security and integrity of our CI/CD process.
Current Challenge:: Currently, any user with access to the GitLab console output through the UI can download the artifacts. This poses a security risk as the dotenv artifact includes confidential information.
Configuration
.fetch_secrets:
stage: fetch-secrets
tags:
- docker
image: hashicorp/vault:latest
id_tokens:
VAULT_AUTH_TOKEN:
aud: $VAULT_ADDR
script:
- echo "Logging into Vault..."
- apk add --no-cache curl
- export VAULT_TOKEN=$(vault write -field=token auth/jwt/login role=$VAULT_AUTH_ROLE jwt=$VAULT_AUTH_TOKEN)
- echo "Fetching secrets from Vault..."
- export ES_CA=$(vault kv get -field=field-name path/to/field)
- export ES_PASSWORD=$(vault kv get -field=field-name path/to/field)
- echo "ES_CA=$ES_CA" > secrets.env
- echo "ES_PASSWORD=$ES_PASSWORD" >> secrets.env
artifacts:
reports:
dotenv: secrets.env
Conclusion: When using the above pipeline, I noticed that any user with access to the project/repository can download the secrets.env file, which contains values fetched from Vault. We need a solution to restrict download access to artifacts in the pipeline.
Thanks for taking the time to be thorough in your request, it really helps!