① Every GitLab CI/CD pipeline has a CI_JOB_JWT_V2 JSON web token in the predefined variables

• Example JWT

{
  "namespace_id": "59407538",
  "namespace_path": "joetanx",
  "project_id": "46285066",
  "project_path": "joetanx/aws-cli-demo",
  "user_id": "12855715",
  "user_login": "joetanx",
  "user_email": "joe.tan@cyberark.com",
  "pipeline_id": "877636997",
  "pipeline_source": "push",
  "job_id": "4343330528",
  "ref": "main",
  "ref_type": "branch",
  "ref_path": "refs/heads/main",
  "ref_protected": "true",
  "jti": "f9fe5035-17f7-4259-b6f9-873fed0f57ea",
  "iss": "gitlab.com",
  "iat": 1684936926,
  "nbf": 1684936921,
  "exp": 1684940526,
  "sub": "job_4343330528"
}

② The GitLab runner sends an authentication request to Conjur using REST API to the JWT authenticator URI (https://<subdomain>.secretsmgr.cyberark.cloud/api/authn-jwt/<service-id>)

• The URI for this demo is https://apj-secrets.secretsmgr.cyberark.cloud/api/authn-jwt/jtan-gitlab

③ Conjur fetches the public key from the GitLab JWKS URI

• The GibLab SaaS JWKS URI is at https://gitlab.com/-/jwks/
• This JWKS URI is set in the jwks-uri variable of the JWT authenticator in Conjur so that Conjur knows where to find the JWKS

④ Conjur verifies that the token is legit with the JWKS public key and authenticates application identity

• Conjur identifies the application identity via the token-app-property variable of the JWT authenticator
• The token-app-property variable is set in Conjur as the project_path claim in this demo
• Conjur further verifies the applications details as configured in the annotations listed in the host (application identity) declaration
• The annotations can be any claims on the JWT that do not change on a per-run basis, e.g. namespace_id, namespace_path, project_path

⑤ Conjur returns an access token to the GitLab runner if authentication is successful

⑥ The GitLab runner will then use the access token to retrieve the secrets using REST API to the secrets URI

GitLab free tier entitles 400 units of compute per month to run GitLab SaaS runners

Credit card information is required to use GitLab SaaS runners

The small machine type is the default and consumes compute units at 1 CI/CD minute cost factor rate

The jobs to be run on GitLab uses an AWS Secret Access Key

The IAM role will need to have the permissions for S3 access and access key rotation

Ref: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/AmazonWebServicesAccessKeys.htm

Ref: https://docs.cyberark.com/Product-Doc/OnlineHelp/ConjurCloud/Latest/en/Content/HomeTilesLPs/LP-Tile4.htm

• jtan/gitlab - policy name, this forms the identity-path of the app IDs
• applications joetanx/aws-cli-demo, joetanx/terraform-aws-s3-demo and joetanx/terraform-aws-s3-cleanup are configured
  • the id of the host corresponds to the token-app-property
  • annotations of the host are optional and corresponds to claims in the JWT token claims - the more specific the annotations/claims configured, the more precise and secure the application authentication
• the host layer is granted as a member of the vault/jtan/delegation/consumers group to authorize access to the AWS secret access key synchronized from Privilege Cloud

• Configures the JWT authenticator (https://docs.cyberark.com/Product-Doc/OnlineHelp/ConjurCloud/Latest/en/Content/Operations/Services/cjr-authn-jwt-uc.htm)

• Defines the authenticator webservice at authn-jwt/jtan-gitlab

  • The format of the authenticator webservice is authn-jwt/<service-id>, the <service-id> used in this demo is jtan-gitlab, this is the URI where the GitLab pipeline will authenticate to.

• Defines the authentication variables: how the JWT Authenticator gets the signing keys

• Defines consumers group - applications that are authorized to authenticate using this JWT authenticator are added to this group
• Defines operators group - users who are authorized to check the status of this JWT authenticator are added to this group

Login to Conjur:

conjur init -u https://<subdomain>.secretsmgr.cyberark.cloud/api
conjur login -i <username> -p <password>

Download and load the Conjur policies:

curl -sLO https://github.com/joetanx/cjc-gitlab/raw/main/authn-jwt-gitlab.yaml
curl -sLO https://github.com/joetanx/cjc-gitlab/raw/main/gitlab-hosts.yaml
conjur policy load -b conjur/authn-jwt -f authn-jwt-gitlab.yaml
conjur policy load -b data -f gitlab-hosts.yaml

Enable the JWT Authenticator:

conjur authenticator enable --id authn-jwt/jtan-gitlab

Populate the variables:

conjur variable set -i conjur/authn-jwt/jtan-gitlab/jwks-uri -v https://gitlab.com/-/jwks/
conjur variable set -i conjur/authn-jwt/jtan-gitlab/token-app-property -v project_path
conjur variable set -i conjur/authn-jwt/jtan-gitlab/identity-path -v data/jtan/gitlab
conjur variable set -i conjur/authn-jwt/jtan-gitlab/issuer -v https://gitlab.com

This project tests retrieval of the AWS secret access key from Conjur

GitLab project name: AWS CLI Demo

☝️ Project name is important! The project path must match the host identity configured in the Conjur policy

There are 2 stages in the pipeline code below:

1. Fetch variables from Conjur (using CyberArk GitLab runner image)

• Authenticate to Conjur authn-jwt/jtan-gitlab using CI_JOB_JWT_V2
• Retrive AWS credentials
• Pass the credentials to the next stage using artifacts:, reports:, dotenv:

2. Test the AWS credentials

• Run Terraform using docker.io/hashicorp/terraform:latest image
• Run AWS CLI using docker.io/amazon/aws-cli:latest image

All jobs passed in the pipeline:

Output for fetch variables job:

Output for Terraform job:

Output for AWS CLI job:

This project demostrates the use of AWS secret access key retrieved from Conjur to create a S3 bucket

GitLab project name: Terraform AWS S3 Demo

☝️ Project name is important! The project path must match the host identity configured in the Conjur policy

There are 2 stages in the pipeline code below:

1. Fetch variables from Conjur (using CyberArk GitLab runner image)

• Authenticate to Conjur authn-jwt/jtan-gitlab using CI_JOB_JWT_V2
• Retrive AWS credentials
• Pass the credentials to the next stage using artifacts:, reports:, dotenv:

2. Run Terraform to create S3 bucket according to main.tf using credentials from Conjur

Both jobs passed in the pipeline:

Output for fetch variables job:

Output for Terraform job:

This project is used to verify the bucket created from the demo job above

GitLab project name: Terraform AWS S3 Cleanup

☝️ Project name is important! The project path must match the host identity configured in the Conjur policy

There are 3 stages in the pipeline code below:

1. Fetch variables from Conjur (using CyberArk GitLab runner image)

• Authenticate to Conjur authn-jwt/jtan-gitlab using CI_JOB_JWT_V2
• Retrive AWS credentials
• Pass the credentials to the next stage using artifacts:, reports:, dotenv:

2. Run AWS CLI to get the demo file from the S3 bucket created above using credentials from Conjur
3. Manual job to delete the bucket

Both jobs passed in the pipeline (manual job is pending manual activation):

Output for fetch variables job:

Output for AWS CLI job:

Proceed to run the last job to delete bucket:

Output for delete bucket job:

Activities in Conjur Cloud can be viewed on CyberArk Audit where details of the action (e.g. authenicate, fetch) and the host identities are recorded