Use build.id as subject for CI_JOB_JWT

to clearly indicate that subject is a build, as this is the actual object that is generator of the JWT.

Use build.id as subject for CI_JOB_JWT
to clearly indicate that subject is a build, as this is the actual object that is generator of the JWT.
3b194e33 · Krasimir Angelov · bf6e23e3 · 3b194e33 · 3b194e33 · 3b194e33
Commit 3b194e33 authored Apr 15, 2020 by Krasimir Angelov
3 changed files
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -31,7 +31,7 @@ The JWT's payload looks like this:
  "iat": 1585710286,                             # Issued at
  "nbf": 1585798372,                             # Not valid before
  "exp": 1585713886,                             # Expire at
-  "sub": "22",                                   # Subject (project id)
+  "sub": "job_1212",                             # Subject (job id)
  "namespace_id": "1",
  "namespace_path": "mygroup",
  "project_id": "22",
@@ -109,9 +109,9 @@ $ vault write auth/jwt/role/myproject-staging - <<EOF
  "role_type": "jwt",
  "policies": ["myproject-staging"],
  "token_explicit_max_ttl": 60,
-  "bound_subject": "22",
  "user_claim": "user_email",
  "bound_claims": {
+    "project_id": "22",
    "ref": "master",
    "ref_type": "branch"
  }
@@ -127,10 +127,10 @@ $ vault write auth/jwt/role/myproject-production - <<EOF
  "role_type": "jwt",
  "policies": ["myproject-production"],
  "token_explicit_max_ttl": 60,
-  "bound_subject": "22",
  "user_claim": "user_email",
  "bound_claims_type": "glob",
  "bound_claims": {
+    "project_id": "22",
    "ref_protected": "true",
    "ref_type": "branch",
    "ref": "auto-deploy-*"
@@ -139,7 +139,7 @@ $ vault write auth/jwt/role/myproject-production - <<EOF
 EOF
 ```
-This example uses [bound_subject](https://www.vaultproject.io/api/auth/jwt#bound_subject) and [bound_claims](https://www.vaultproject.io/api/auth/jwt#bound_claims) to specify that only a JWT with matching values for these claims will be allowed to authenticate.
+This example uses [bound_claims](https://www.vaultproject.io/api/auth/jwt#bound_claims) to specify that only a JWT with matching values for the specified claims will be allowed to authenticate.
 Combined with GitLab's [protected branches](../../../user/project/protected_branches.md), you can restrict who is able to authenticate and read the secrets.

--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -19,7 +19,7 @@ module Gitlab
        self.issuer = Settings.gitlab.host
        self.issued_at = Time.now
        self.expire_time = issued_at + (ttl || DEFAULT_EXPIRE_TIME)
-        self.subject = project.id.to_s
+        self.subject = "job_#{build.id}"
        # Custom claims
        self[:namespace_id] = namespace.id.to_s

--- a/spec/lib/gitlab/ci/jwt_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_spec.rb
@@ -27,7 +27,7 @@ describe Gitlab::Ci::Jwt do
          expect(payload[:iss]).to eq(Settings.gitlab.host)
          expect(payload[:iat]).to eq(now)
          expect(payload[:exp]).to eq(now + 30)
-          expect(payload[:sub]).to eq(project.id.to_s)
+          expect(payload[:sub]).to eq("job_#{build.id}")
        end
      end
    end