We have an on-prem Gitlab instance, which is not accessible publicly (only through a VPN).
The GCP documentation says that the IdP's OIDC metadata and JWKs endpoints need to be publicly accessible. How can we set up the Workload Identity Federation in this case?
Also, the Gitlab instance is v14.0, so the CI_JOB_JWT_V2 variable is unavailable. I suppose we will have to upgrade the version because there is no other way to get a correct JWT token.
You can use workload identity federation with other identity providers (IdPs) that support either OpenID Connect (OIDC) or SAML authentication protocols. To perform this task, your external IdP should support OpenID Connect and IdP's OIDC metadata and JWKs endpoints which are publicly accessible over the internet as mentioned in cloud documentation.
Google Cloud uses these endpoints to download your IdP's key set and uses this key set to validate tokens.
You are using GitLab 14.0 in which the JWT is deprecated since CI_JOB_JWT_V2 was deprecated in GitLab 15.9 and is scheduled to be removed in GitLab 16.5. Use ID tokens instead.
Use id_tokens to create JSON web tokens (JWT) to authenticate with third party services. All JWTs created this way support OIDC authentication. The required aud sub-keyword is used to configure the aud claim for the JWT which was mentioned in Gitlab docs.
Possible inputs:
Example of id_tokens:
job_with_id_tokens:
id_tokens:
ID_TOKEN_1:
aud: https://gitlab.com
ID_TOKEN_2:
aud:
- https://gcp.com
- https://aws.com
script:
- command_to_authenticate_with_gitlab $ID_TOKEN_1
- command_to_authenticate_with_aws $ID_TOKEN_2