Category Direction - Secrets Management

1. You are here:
2. GitLab Direction
3. Verify Stage Direction
4. Category Direction - Secrets Management

• Secrets Management
  • Introduction and how you can help
  • Overview
  • Strategy and Themes
  • 1 year plan
    • Advanced security and compliance
    • What is next for us
    • What we are currently working on
    • What we recently completed
    • What is Not Planned Right Now
  • Best in Class Landscape
    • Key Capabilities
    • Roadmap
    • Top Competitive Solutions
  • Target Audience
  • Pricing and Packaging
    • Current Position
  • Analyst Landscape

Secrets Management

Stage	Verify
Maturity	Minimal
Content Last Reviewed	2023-12-15

Introduction and how you can help

Thanks for visiting this category direction page on Secrets Management in GitLab. This page belongs to the Pipeline Security group of the Verify stage and is maintained by Jocelyn Eillis (E-Mail).

This category covers the experiences related to variables, pipeline permissions, and secrets. For more information, check out the features page.

This direction page is a work in progress, and everyone can contribute:

• Please comment and contribute in the linked issues and epics on this page. Sharing your feedback directly on GitLab.com is the best way to contribute to our strategy and vision.
• Please share feedback directly via email or schedule a video call. If you're a GitLab user and have direct knowledge of your need for secrets management, CI variables, and CI_JOB_TOKEN, we'd especially love to hear from you.

Overview

Everybody has a secret.

Secrets Management can have a broad meaning. For the Secrets Management product category at GitLab, we have a very specific scope. Secrets Management is specifically about enabling GitLab, or a component built within GitLab to connect to other systems.

The Secrets Management product category does not include the various access tokens created within GitLab that allow other systems to access GitLab or GitLab to access itself. In order to provide an aligned vision and strategy around access to GitLab, these features typically fall under the Authentication and Authorization category.

As Secrets Management focuses primarily on how GitLab can access 3rd party systems, it is tightly coupled to the Environment Management product category.

There are 3 classifications of secrets within the scope of Secret Management:

• static secrets
• dynamic secrets
• application secrets

Ideally, application secrets would never reach GitLab as they are used only within the user's infrastructure and enable one service to access another service, i.e. the database URI deployed into a web application's configuration. The best approach around application secrets would be to retrieve them within the user's infrastructure, without the secret ever leaving the internal network.

In our categorization, static and dynamic secrets are the secrets used to access a 3rd party system by GitLab itself, let it be for a deployment, reporting or any other integration reason. The difference between dynamic and static secrets is their lifespan. Static secrets are … static. They either exist permanently or are revoked or rotated in a separate process. Dynamic secrets are short-lived and their lifespan is often managed by a tool, such as HashiCorp's Vault.

Strategy and Themes

1 year plan

In FY24, we are planning to focus on the following Product Themes:

Advanced security and compliance

1. Remove restrictions around masked variables
2. Begin work on the MVC for Gitlab's native secrets manager
3. As part of our partnership with Google, we will be prioritizing the GCP secrets manager native integration in FY24-Q4.

As we move forward into FY25, we will continue to focus on security, specifically:

1. Advance JWT token support OpenID Connect to enable customization of JWT sub claims.
2. Allow users to hide "masked" variables in project and group settings.
3. Deliver the MVC for Gitlab's native secrets manager.
4. Focus on building a consistent user experience for CI variables.
5. Provide native integration for AWS Secrets Manager, similar to our existing offerings for HashiCorp Vault and Azure Key Vault.

What is next for us

In the next 3 months, we will be focusing on:

1. Delivery of the GCP Secrets Manager native integration. This enables GitLab users who use the GCP Secrets Manager a seamless integration with GitLab to authenticate, configure, and read secrets.
2. Research and prototyping of a native secrets manager to better understand how our customers are using secrets to secure workflows - and how we can improve the experience.
3. Incremental improvements to bring forward the optimal CI variables user experience to drive consistency across our feature.

What we are currently working on

In milestone 16.8, our team is working on:

1. Delivering the GCP Secrets Manager native integration, completing both the Runner and Rails implementation and documentation.
2. Adding truncation for CI_MERGE_REQUEST_DESCRIPTION. When the variable field is too long, this can cause the pipeline to break. As a result, we will be truncating this variable and providing a flag to indicate if the automatic trunction was triggered.
3. Investigating the backend effort to add the search feature for CI variables and deliver a proposal for implementation. Currently users must use built-in browser functionality to search for variables which is a sub-optimal user experience. Enabling this feature will allow us to add pagination for the CI variables list.

What we recently completed

In 16.7, our team delivered:

1. Resolution of an AWS IAM bug causing a InvalidIdentityToken error. This is now available in production for GitLab.com users and behind a feature flag which will need to be enabled by self-managed customers.
2. Definition of the OIDC configuration for the GCP Secrets Manager native integration. The implementation work is continuing in subsequent milestones, with a planned GA in January 2024.
3. Improvements for the CI variables user experience through the addition of help text when creating a variable and validation messaging if the variable name does not meet requirements.

In 16.6, our team delivered:

1. Rollout of our new CI variables drawer experience. This new design is intended to provide real-time feedback and confirmation of variables entered via the UI. We welcome feedback on this new design as we continue to focus on improving our CI variables experience in future iterations.

In 16.5, our team delivered:

1. Architectural blueprint and design MVC for the GitLab native secrets manager.
2. Continuing to standardize the user experience through the variables UI drawer by adding actions to enable search and selection of environment scope, setting a wildcard environment scope, and adding/editing/deleting a variable.

What is Not Planned Right Now

1. Native integrations with third party secrets management services not specified above. We understand streamlining processes with external secrets managers is a desired feature. Rather than developing these in-house, we are investigating partnership solutions to meet this customer need.
2. Enhancements to our existing GitLab HashiCorp Vault integration. We do not have data to support prioritizing advanced features with Vault beyond our current offering.

Best in Class Landscape

BIC (Best In Class) is an indicator of forecasted near-term market performance based on a combination of factors, including analyst views, market news, and feedback from the sales and product teams. It is critical that we understand where GitLab appears in the BIC landscape.

Key Capabilities

We envision GitLab providing an industry-leading solution for managing static secrets, has loveable integrations with selected third-party secret managers, and provides advanced features (i.e. key management) to ensure best secrutiy practices to fully mitigate the risk of moving application secrets outside customer infrastructure.

The driving principles around static secrets managements are that secrets should be

• restricted
• write only
• encrypted at rest and in transit
• versioned
• auditable
• revokable

Every IT project requires secrets. As a result, by not providing a strong offering in this space, we force all security-minded users to have to search for an alternative solution. Without Secret Management out-of-the-box, we fail to fulfill our vision of being a complete single DevSecOps platform.

We also know that a large majority (80%) of customers only require support for static secrets and removing the pain around application secrets, so our investment does not have to be massive. Nor do we have to complete directly with the market leader in Hashicorp Vault.

Roadmap

Top Competitive Solutions

The biggest question with respect to Secrets Management integrations is to choose the right partners. The Secrets Management market is a fast moving target with a few, well known providers offering their solutions, and a huge number of users not using any of these. Beside HashiCorp Vault, notable offerings are at least CyberAkr Conjur and the Secrets Management offering of AWS, Google Azure and akeyless.

Additionally, Vault Enterprise offers additional sets of capabilities that will not be part of the open source version of Vault bundled with GitLab. This includes replication across datacenters, hardware security modules (HSMs), seals, namespaces, servicing read-only requests on HA nodes (though, the open source version does support high-availability), enterprise control groups, multi-factor auth, and sentinel.

For customers who want to use GitLab with the enterprise version of Vault, we need to ensure that this is easy to switch to/use as well.

In the CICD variables space, GitHub variables, offer comparable flexibility and power. They also offer a differentiation between variables and GitHub secrets, which has set an expectation in the market for a distinct treatment of those objects. We are beginning to investigate this for GitLab in gitlab#217355. GitHub Actions supports injection of HashiCorp Vault Secrets into CICD pipelines, which is directly competing with GitLab's first-to market offering of HashiCorp Vault Secrets in GitLab.

Target Audience

Operations, compliance, security, and audit teams will derive immense value from being able to manage secrets within GitLab. In the motion of shifting security left, developers will also be empowered with the comprehensive treatment of variables and keys as a secrets in GitLab. By prioritizing external key store integrations, we will expand GitLab's security by offering an extra layer for tokens, keys, and other confidential data. This combination of tools will further establish GitLab's presence as an enterprise-grade, corporate solution for Release Management.

Pricing and Packaging

As secret handling is a core requirement of every IT project, basic static secret management should be part of GitLab Free. Permissions management, versioning, audit logs around static secrets can be Premium or Ultimate features. Dynamic secrets management with a bring your own device (BYOD) approach should be part of GitLab Free, while support for Enterprise Secrets Management features is to be considered for Premium and Ultimate.

Current Position

Today GitLab supports environment variables. Environment variables fall short of the basic requirements for secret storage.

GitLab also has decent integration with Hashicorp Vault OSS edition. However, the integration lacks support for Vault Enterprise features.

Lastly, GitLab provides a JWT_TOKEN that could enable access to various 3rd party systems. However, its lack of flexibility and lack of standard compliance restricts its potential.

Analyst Landscape

• In March 2023 Gartner had publish a research name Managing Machine Identities, Secrets, Keys and Certificates (internal link)
• Internal research Enterprise SaaS User Base Survey: Secrets + SaaS