Configuring OpenID Connect for Gitlab
This document outlines the steps required to configure Pulumi to accept Gitlab id_tokens to be exchanged by Organization access tokens.
This guide demonstrates using
organization tokens. Depending on your Pulumi edition, you may also use personal or team tokens by adjusting the token type in the authorization policies and the requested-token-type parameter.Prerequisites
- You must be an admin of your Pulumi organization.
Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the official Gitlab documentation.
Register the OIDC issuer
- Navigate to OIDC Issuers under your Organization’s Settings and click on Register a new issuer.
- Name the issuer and complete the url:
https://gitlab.com/(or your gitlab self managed url)
- Submit the form
Configure the Authorization Policies
- Click on the issuer name
- Change the policy decision to
Allow - Change the token type to
Organization - Add a policy to allow OIDC and configure the sub and audience for your organization and repositories:
- Aud: urn:pulumi:org:org-name
Sub: project_path:namespace/project:ref_type:branch:ref:branch-name
For further information about GitLab token claims, refer to the official GitLab documentation. 5. Click on update
Set up GitLab CI to use Pulumi OIDC authentication
In your .gitlab-ci.yml, configure the job to request an ID token and use it with the Pulumi CLI:
variables:
PULUMI_ORG: "org-name"
.pulumi-oidc:
image:
name: pulumi/pulumi:latest
entrypoint: [""]
id_tokens:
GITLAB_OIDC_TOKEN:
aud: "urn:pulumi:org:${PULUMI_ORG}"
before_script:
- pulumi login --oidc-token "$GITLAB_OIDC_TOKEN" --oidc-org "$PULUMI_ORG" --cloud-url https://api.pulumi.com
Replace org-name with the right Pulumi organization.
Sample GitLab CI pipeline
variables:
PULUMI_ORG: "org-name"
STACK_NAME: "org-name/project-name/stack-name"
stages:
- preview
- deploy
.pulumi-oidc:
image:
name: pulumi/pulumi:latest
entrypoint: [""]
id_tokens:
GITLAB_OIDC_TOKEN:
aud: "urn:pulumi:org:${PULUMI_ORG}"
before_script:
- pulumi login --oidc-token "$GITLAB_OIDC_TOKEN" --oidc-org "$PULUMI_ORG" --cloud-url https://api.pulumi.com
pulumi-preview:
extends: .pulumi-oidc
stage: preview
script:
- cd infrastructure
- npm ci
- pulumi preview --stack "$STACK_NAME"
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
pulumi-up:
extends: .pulumi-oidc
stage: deploy
script:
- cd infrastructure
- npm ci
- pulumi up --stack "$STACK_NAME" --yes
rules:
- if: $CI_COMMIT_BRANCH == "main"
environment:
name: production
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
