IAM Auth Service configuration
Overview
The IAM Auth Service integration is an experimental feature currently available only on GitLab.com for testing a pre-release service. This feature is subject to change and should not be used in production environments outside of GitLab.com.
Status
- Availability: GitLab.com only
- Stability: Experimental (subject to change)
- Support: Limited to GitLab.com infrastructure team
Configuration
The IAM Auth Service can be configured through the Helm chart values under global.appConfig.iamAuthService.
Basic configuration
global:
appConfig:
iamAuthService:
enabled: true
http:
host: iam-auth.example.com
port: 443
grpc:
host: iam-auth.example.com
port: 5004
authToken:
secret: gitlab-iam-auth-token
key: authToken
jwtIssuer: https://iam-auth.example.comConfiguration options
| Option | Type | Default | Description |
|---|---|---|---|
enabled |
boolean | false |
Enable or disable IAM Auth Service integration |
http.host |
string | Hostname of the HTTP endpoint | |
http.port |
integer | Port number of the HTTP endpoint | |
grpc.host |
string | Hostname of the gRPC endpoint | |
grpc.port |
integer | Port number of the gRPC endpoint | |
jwtAudience |
string | gitlab-rails |
The value used for the aud scope in JWTs sent to this service |
jwtIssuer |
string | The value used to validate the iss claim in JWTs sent to this service by the IAM Auth service. This must match the name used in the IAM Auth service’s configuration. |
|
authToken.secret |
string | Kubernetes secret name containing the authentication token | |
authToken.key |
string | iam_auth_service_token |
Key within the secret containing the authentication token |
Secret generation
When IAM Auth Service is enabled, the Helm chart automatically generates a service authentication token and stores it in a Kubernetes secret. The token is generated using cryptographically secure random bytes and converted to alpha-numeric text.
The secret is created during the initial deployment and persists across upgrades. If the secret already exists, it will not be regenerated.
Important notes
- This feature is not intended for use outside of GitLab.com
- Configuration changes may occur without notice
- The service endpoint and authentication mechanism may change
- Do not rely on this feature for production deployments
- Report issues or feedback to the GitLab SSCS - Authentication team
Future considerations
As the IAM Auth Service matures, this feature may be:
- Moved to general availability with full documentation
- Deprecated in favor of alternative authentication mechanisms
- Significantly changed in behavior or configuration
Users should monitor GitLab release notes and this documentation for updates on the status of this experimental feature.