The Gitlab Vault secrets plugin dynamically generates gitlab project access token based on passed parameters. This enables users to gain access to Gitlab projects without needing to create or manage project access tokens manually.
This plugin supports two ways to generate a token in /token path
- At root of
/tokenpath, a user requests a token by passing parameters. - (WIP): A user predefines roles with parameters. Then, a user can request a role's token at
/token/:<role-name>
Parameters are same from Gitlab's Project Access Token API
path /token
- Create/Update: generate a project access token with given parameters
path /roles/:<role_name>
- Create/Update: create/update vault resource with given parameters. This won't do anything against Gitlab API
- Delete: delete vault resource
- Get: return stored parameters for the role
- List: list all roles
path /token/:<role_name>
- Create/Update: generate a project access token with stored parameters for the role
There are 2 kinds of access control in this plugins.
- permissions attaches to the configured token
- Vault resource access control - path access and capabilities
Root /token path can be used to request a project access token for any projects and any scopes as long as the configured token to generate access tokens have necessary permissions in these projects. 2nd kind of access token can't limit parameters to pass.
With that being said, it's better to use roles, which predefines a project and scopes; then, requesting a project access token for a role. You can further limit access to path via 2nd kind of access control imposed by Vault