How to Restrict Artifact Download Access in GitLab CI?

Issue Description: In our GitLab CI/CD pipeline, we need to ensure that the download access to artifacts is restricted. The goal is to allow only the jobs within the pipeline to utilize the artifacts, particularly the dotenv artifact which contains sensitive secret values. This restriction is crucial to maintain the security and integrity of our CI/CD process.
Current Challenge:: Currently, any user with access to the GitLab console output through the UI can download the artifacts. This poses a security risk as the dotenv artifact includes confidential information.


  stage: fetch-secrets
    - docker
  image: hashicorp/vault:latest
      aud: $VAULT_ADDR
    - echo "Logging into Vault..."
    - apk add --no-cache curl
    - export VAULT_TOKEN=$(vault write -field=token auth/jwt/login role=$VAULT_AUTH_ROLE jwt=$VAULT_AUTH_TOKEN)
    - echo "Fetching secrets from Vault..."
    - export ES_CA=$(vault kv get -field=field-name path/to/field)
    - export ES_PASSWORD=$(vault kv get -field=field-name path/to/field)
    - echo "ES_CA=$ES_CA" > secrets.env
    - echo "ES_PASSWORD=$ES_PASSWORD" >> secrets.env
      dotenv: secrets.env

Conclusion: When using the above pipeline, I noticed that any user with access to the project/repository can download the secrets.env file, which contains values fetched from Vault. We need a solution to restrict download access to artifacts in the pipeline.

Thanks for taking the time to be thorough in your request, it really helps! :blush:

I found a solution to the issue. After conducting more research and delving deeper into the GitLab documentation, I discovered this link: GitLab CI/CD Artifacts Access, which addresses the problem.

After upgrading GitLab to the latest version, I used the following configuration to restrict artifact download access:

    access: none