Use external secrets in CI/CD

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

CI/CD jobs might need sensitive information, called secrets, to complete work. This sensitive information could be items like API tokens, database credentials, or private keys. Secrets are sourced from a secrets provider.

Unlike CI/CD variables which are always available in jobs, secrets must be explicitly requested by a job.

GitLab supports several secret management providers, including:

  1. HashiCorp Vault
  2. Google Cloud Secret Manager
  3. Azure Key Vault
  4. AWS Secrets Manager

Use ID tokens to authenticate with a secrets provider.