GitLab Duo authentication and authorization
GitLab Duo with Amazon Q uses a composite identity to authenticate requests.
Support for a composite identity in other areas of the product is proposed in issue 511373.
The token that authenticates requests is a composite of two identities:
- The primary author, which is the Amazon Q service account. This service account is instance-wide and has the Developer role on the project where the Amazon Q quick action was used. The service account is the owner of the token.
- The secondary author, which is the human user who submitted the quick action.
This user’s
id
is included in the scopes of the token.
This composite identity ensures that any activities authored by Amazon Q are correctly attributed to the Amazon Q service account. At the same time, the composite identity ensures that there is no privilege escalation for the human user.
This dynamic scope is checked during the authorization of the API request. When authorization is requested, GitLab validates that both the service account and the user who originated the quick action have sufficient permissions.
%%{init: { "fontFamily": "GitLab Sans" }}%% flowchart TD A[API Request] --> B{Human user has access?} B -->|No| D[Access denied] B -->|Yes| C{Service account has access?} C -->|No| D C -->|Yes| E[API request succeeds] style D fill:#ffcccc style E fill:#ccffcc
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support