- JWT authentication
akeyless_token- Akeyless access types
- JWT reuse
- Fetch a JSON Secret
- Issue certificate
- Work with a gateway
- Troubleshooting
The secrets provider can not be found. Check your CI/CD variables and try again.message
Use Akeyless secrets in GitLab CI/CD
- Introduced in GitLab 17.4.
You can use the secrets:akeyless keyword to authenticate and retrieve Akeyless secrets.
Prerequisites:
- Save your Akeyless access ID as a CI/CD variable in your GitLab project
named
AKEYLESS_ACCESS_ID. - This integration only supports static secrets.
To retrieve secrets from Akeyless, review the CI/CD configuration example that matches
your use case. The akeyless:name keyword can contain any secrets type.
JWT authentication
job:
id_tokens:
AKEYLESS_JWT:
aud: 'https://gitlab.com'
secrets:
DATABASE_PASSWORD:
token: $AKEYLESS_JWT
akeyless:
name: 'secret_name'
akeyless_token
job:
secrets:
DATABASE_PASSWORD:
akeyless:
name: 'secret_name'
akeyless_token: '<akeyless_token>'
Akeyless access types
aws_iam
job:
secrets:
DATABASE_PASSWORD:
akeyless:
name: 'secret_name'
akeyless_access_type: 'aws_iam'
azure_ad
job:
secrets:
DATABASE_PASSWORD:
akeyless:
name: 'secret_name'
akeyless_access_type: 'azure_ad'
azure_object_id: 'azure_object_id'
gcp
job:
secrets:
DATABASE_PASSWORD:
akeyless:
name: 'secret_name'
akeyless_access_type: 'gcp'
gcp_audience: 'gcp_audience'
universal_identity
job:
secrets:
DATABASE_PASSWORD:
akeyless:
name: 'secret_name'
akeyless_access_type: 'universal_identity'
uid_token: 'uid_token'
k8s
job:
secrets:
DATABASE_PASSWORD:
akeyless:
name: 'secret_name'
akeyless_access_type: 'k8s'
k8s_service_account_token: 'k8s_service_account_token'
k8s_auth_config_name: 'k8s_auth_config_name'
akeyless_api_url: 'akeyless_api_url'
api_key
job:
secrets:
DATABASE_PASSWORD:
akeyless:
name: 'secret_name'
akeyless_access_type: 'api_key'
akeyless_access_key: "<Access Key>"
If you intend to fetch multiple secrets or run multiple jobs using the same Akeyless token, you should run the first job as follows to store and re-use the same token as a dedicated CI/CD variable.
JWT reuse
When re-using the same token, there is no akeyless:name reference, which allows the token
to be re-used for multiple jobs.
job: # This job fetches the Akeyless Token
id_tokens:
AKEYLESS_JWT:
aud: 'https://gitlab.com'
secrets:
AKEYLESS_TOKEN:
token: $AKEYLESS_JWT
akeyless:
Fetch a JSON Secret
job:
id_tokens:
AKEYLESS_JWT:
aud: 'https://gitlab.com'
secrets:
DATABASE_PASSWORD:
token: $AKEYLESS_JWT
akeyless:
name: 'secret_name'
data_key: 'imp'
This example fetches the imp JSON key.
Issue certificate
Use public_key_data when issuing certificates.
SSH
job:
id_tokens:
AKEYLESS_JWT:
aud: 'https://gitlab.com'
secrets:
DATABASE_PASSWORD:
token: $AKEYLESS_JWT
akeyless:
name: 'secret_name'
cert_user_name: 'cert_user_name'
public_key_data: 'public_key_data'
Issue certificate
job:
id_tokens:
AKEYLESS_JWT:
aud: 'https://gitlab.com'
secrets:
DATABASE_PASSWORD:
token: $AKEYLESS_JWT
akeyless:
name: 'secret_name'
public_key_data: 'public_key_data'
You can also use csr_data instead of public_key_data.
Work with a gateway
Set your gateway URL using the akeyless_api_url keyword. When working with a CA Certificate
you can provide your gateway_ca_certificate as well:
job:
id_tokens:
AKEYLESS_JWT:
aud: 'https://gitlab.com'
secrets:
DATABASE_PASSWORD:
token: $AKEYLESS_JWT
akeyless:
name: 'secret_name'
akeyless_api_url: 'http://gateway_url:8080/v2'
gateway_ca_certificate: 'ca_certificate'
Troubleshooting
The secrets provider can not be found. Check your CI/CD variables and try again. message
You might receive this error when attempting to start a job configured to access Akeyless:
The secrets provider can not be found. Check your CI/CD variables and try again.
The job can’t be created because the required variable is not defined:
AKEYLESS_ACCESS_ID