This Client Workload identification method is specifically designed for GitLab Jobs deployments.
The GitLab ID Token Subject identification method allows you to identify GitLab jobs based on their group, project, and triggering branch or tag. Aembit achieves this using the subject claim within the OIDC token issued by GitLab.
Combine this method with additional Client Workload identification techniques, for project path and reference identification.
Applicable Deployment Type
Section titled “Applicable Deployment Type”This method is suitable for GitLab-based CI/CD Workflow deployments.
Configuration
Section titled “Configuration”Aembit Cloud
Section titled “Aembit Cloud”- Create a new Client Workload.
- Choose GitLab ID Token Subject for client identification.
- Construct a subject manually using the format specified below and use it in the Value field.
- Format -
project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}, wheretypecan be eitherbranch(for a branch-triggered workflow) ortag(for a tag-triggered workflow). - Example - project_path:my-group/my-project:ref_type:branch:ref:feature-branch-1
Finding the GitLab ID Token Subject:
Section titled “Finding the GitLab ID Token Subject:”You can reconstruct subject claim as follows:
- Identify the project path: Navigate to the Projects on GitLab and go to the All tab. Locate your project and copy the full displayed project path (e.g., my-group/my-project).
- Determine ref type: Identify whether the workflow was triggered by a branch (then ref_type is branch) or a tag (ref_type is tag).
- Get the ref: Find the specific branch name (e.g., main) or tag name (e.g., v1.2.0). Check your workflow configuration or, if accessible, the GitLab UI for triggering event details.
- Combine the information: Assemble the subject using the format:
project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}.
Alternatively, you can inspect the GitLab OIDC token to extract the subject claim. For further details, please contact Aembit.