![]() ![]() For OIDC compliance, the iss claim now uses To prepare for this change, configure your pipelines to use ID tokens ID tokens are more secure than the old CI_JOB_JWT* JSON web tokens which are exposed in every job,Īnd as a result these old JSON web tokens are deprecated: These tokens are more configurable than the old JSON web tokens (JWTs), are OIDC compliant,Īnd only available in CI/CD jobs that explictly have ID tokens configured. Jobs that do not use the id_tokens keyword will continue to have the CI_JOB_JWT*.CI/CD jobs that use the id_tokens keyword can use ID tokens with secrets:vault,Īnd will not have any CI_JOB_JWT* tokens available.ID token authentication for the secrets:vault keyword. Setting, which prevents the old tokens from being exposed to any jobs and enables Ensure the bound audience is prefixed with In GitLab 15.9 to 15.11, you can enable the Limit JSON Web Token (JWT) access To prepare for this change, use the new id_tokens Any projects that use the secrets:vault keyword to retrieve secrets from Vault will need to be configured to use the ID tokens. ![]() To discuss this change or learn more, see the deprecation issue.Īs part of our effort to improve the security of your CI workflows using JWT and OIDC, the native HashiCorp integration is also being updated in GitLab 16.0. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |