Add warning to always restrict scope of Vault role

Roles should be restricted to project or namespace, using one of the provided claims in CI_JOB_JWT.

Add warning to always restrict scope of Vault role
Roles should be restricted to project or namespace, using one of the provided claims in CI_JOB_JWT.
0dd976fb · Krasimir Angelov · 8dcdd442 · 0dd976fb
Commit 0dd976fb authored Apr 16, 2020 by Krasimir Angelov
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

doc/ci/examples/authenticating-with-hashicorp-vault/index.md doc/ci/examples/authenticating-with-hashicorp-vault/index.md +3 -0

No files found.
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -153,6 +153,9 @@ Combined with GitLab's [protected branches](../../../user/project/protected_bran

 For the full list of options, see Vault's [Create Role documentation](https://www.vaultproject.io/api/auth/jwt#create-role).

+CAUTION: **Caution**:
+Always restrict your roles to project or namespace by using one of the provided claims (e.g. `project_id` or `namespace_id`). Otherwise any JWT generated by this instance may be allowed to authenticate using this role.
+
 Now, configure the JWT Authentication method:

 ```shell