►
From YouTube: GitLab Verify team talks about Vault Integration
Description
The GitLab Verify team (https://about.gitlab.com/direction/verify/) talks about how we can integrate Vault seamlessly into GitLab. What are the use cases? How will it work technically?
Join the discussion here: https://gitlab.com/gitlab-org/gitlab-ce/issues/40720
A
Eliott
wanted
to
record
it
I
just
remembered
so
I
just
click
the
record
button,
yeah,
let's
go
ahead
and
get
started
so
yeah
generally
we're
talking
about
vault
and
wanting
to
have
open
the
document,
maybe
he's
coming
wanting
to
have
a
better
or
tighter
and
a
tight
integration
with
the
ball
and
just
so
just
to
kind
of
like
set
the
mood
or
the
overall
vision.
You
know
our
opinion
is
that
ball,
it's
kind
of
one
secret
management
right
and
because
it's
one
secret
management
and
our
secrets
management's
very
basic.
A
Obviously,
instead
of
trying
to
continue
to
like
reinvent
the
wheel
secrets
management,
we
should
integrate
with
vault
very
tightly
that
opinion
is,
you
know
just
for
being
an
industry,
and
it's
also
very
clear.
If
you
look
at
the
vault
issue
and
the
number
of
you
know:
customers
that
are
also
vault
customers-
don't
want
this
integration,
but
trying
to
find
like
the
MVC
of
that
I
think
it's
gonna
be
a
challenge
and
a
lot.
The
main
reason,
the
main
thing
we
want
to
get
at
this
meeting
and
so.
A
B
A
Yeah
I
mean
I
think
it
makes
sense.
I
agree
that
there
is
definitely
some
sense
to
saying
it
should
be
on
the
runner
side,
not
that
I
would
ever
use
Jenkins
as
the
model,
but
as
I
was
thinking
through
the
MVC
here
I
mean
their
integration.
Where
fault
is
very
minimal
right,
like
it's
there's
a
concept
in
Vault
of
I
think
it's
called
a
prole
or
something
like
that
right.
It's
basically
like
a
shared
key
role
for
machine.
It's
the
way
that
vault
recommends.
B
B
A
B
A
Yeah
I
mean
I,
know
I'm,
just
I'm
down
here.
Up
welcome
heels
in
the
same
place.
I
am
in
the
document
adding
the
integration
like
again,
you
say
or
I,
don't
know
if
it's
I
don't
know
whose
nodes
it
is
may
become
honest
not
to
you
know,
discuss
implementation
too
early,
but
let's
discuss
implementation
too
early
like
putting
it
and
get
live,
run
or
helper.
B
Craziest
idea
I've
ever
heard
no
but
I
love
to
note
below
if
something
they
have
something
called
fault
agent
with
that's
caused
something
similar
work
to
what
Tamar
said.
Basically,
it's
a
team
and
a
trance
on
your
server
and
secret
on
a
fight,
so
we
could
to
use
that
everyone,
instead
of
rebuilding
its
ourselves.
Okay,
so
yeah.
A
B
B
I'm,
just
like
nice
and
the
nice
part
about
fault
as
well.
If
we
do
it
on
the
runner
happen,
if
you
look
at
the
authentication
methods
it
can
authenticate
to
it
github.
So
we
can
do
something
similar
for
github.
You
see
much
of
token
or
something
so
it
would
have
like
first-class
support
with
fault
from
both
side
and
that's
like
an
open
source
project.
So
we
can
contribute
our
sector,
but
that's,
but
that's
will
take
a
real
a
longer
time.
Of
course,
yeah.
B
A
B
B
B
A
The
person
or
access
token,
but
you
know,
for
people
that
understand
that
risk.
You
know
Camille
other
other
thoughts
that
that
we
haven't
brought
like.
Does
anyone
want
to
I
guess
the
big
question
is
right
now?
Does
anyone
want
to
challenge
runner
being
the
right
place
to
build
this
integration
generally.
D
So
like
from
my
perspective
like
if
we
look
at
the
security
aspect,
I
think
that
their
honor-
it's
like
the
closest
because
it
doesn't
go
through
get
up
and
technically
I,
think
that,
like
we
should
limit
amount
of
interactions
from
github
on
vault,
technically
I
think
that
the
github
should
never
already
reach
the
sacred
water.
It
should
basically
allow
you
to
create
a
new
one
and
that's
it
maybe
you're
a
rotate,
but
it
should
be
run
around
there.
That
just
reads
the
secret
directly.
D
So
I
think
that
this
this
architecture
is
slightly
harder,
but
I
kind
of
like
it
falls
into
my
expectations
of
the
system.
Behavior.
My
only
like
idea
behind
it
I
think
that
I
genera
idea
of
having
secrets
is
like
you
do
not
expose
them
all
of
them
at
once.
Rather,
you
kind
of
define
and
be
very
careful
on
like
what
secrets
you
use.
D
So
it
seems
to
me
that
there
could
be
like
some
interesting
law
either
it
should
be
I,
don't
know
in
the
configuration
or
maybe
like
we
have
secret
variables
that
are
secret,
but
instead
of
like
putting
the
data
into
in
the
field
box,
you
say
firstly
secret
from
the
vault
and
we
never
expose
this
information.
But
this
is,
for
example,
the
way
how
we
linked
what
kind
of
Secrets
you
are
using.
Maybe
maybe
this
is
the
way
I
have
a
lot
of
other
questions,
but
I
think
there
are
like
the
right
place
for
it
really.
A
Yeah,
okay
and
so
I
want
to
throw
now
that
we've
agreed
to
that.
Let
me
throw
a
massive
wrench
into
the
entire
thing,
which
again
this
is
not
MBC,
so
it
probably
doesn't
change
anyone's
opinion
of
us,
but
one
one
thing
that
I
want
to
consider
in
the
long
term
is:
do
we
bundle
vault
with
gitlab
right
like
do
we
allow,
you
know,
make
it
easy
right,
part
of
part
of
the
reason
someone
might
not
use
you
know
proper
secrets
management
today.
A
D
D
Say
I
would
say
this
would
rather
be
a
separate
application,
because
I
I
see
like
use
of
the
world
outside
of
their
honor,
just
basically
a
sterner
application.
For
you
to
be
able
to
like
to
your
secrets
and
memories,
like
the
most
obvious
use
case
for
that.
But
we
could
be
very
clever
on
how
we
likely
interact
runner
with
with
default
by
knowing
that
the
ironic
in
the
same
caster,
for
example,.
D
Personally,
I
think
that's
it
also
gonna
like
that,
because
we
like
scaring
this
kind
of
application.
It's
like
it's
quite
another
level
and
doing
that.
It's
really
like
we
keep
each
of
these
instances
in
control
of
the
of
the
users
using
discussed
service
and
by
definition
they
cannot
be
very
minimal
to
run.
So.
The
question
would
be
here
like
how
complex
is
to
like
to
use
home,
install
on
faults
and
like
what
are
the
challenges
are
to.
B
A
I
mean
if
we
bundle
it
in
to
get
lab,
we're
taking
on
a
lot
of
responsibilities.
I
didn't
that
took
them
Mills
point
right
if
we
make
it
installable
into
kubernetes,
the
positive
products
been
on.
That
is
it's
more
in
line
with
our
kubernetes
focused
goals,
write
the
positive
engineering
side
of
it
is
it's
now.
It's
not!
You
know
it's
not
in
omnibus
and
has
to
have
how
many
of
us
config
blah
blah
blah
blah,
and
it's
much
more
in
line
with
like
like.
Why
did
we
not
bundle
Jupiter
with
get
lab?
A
A
What
I
would
like
to
do
is
avoid
that
being
the
next
windows
container
executor
issue
right
and
actually
break
it
down
in
a
meaningful
way
where,
where
we
actually
have,
you
know
minimal,
minimal
things
to
iterate
to
get
there
I
guess
what
else
do
we
need
to
talk
about
as
a
team
to
do
that?
Or
should
we
do
that
asynchronously
or
what
are
your
thoughts
kind
of
one
out,
I?
Think.
B
D
Like
like
that
flow
that
you
want
to
implement
so
because
we
could
implement
it
here
in
our
new
Murano,
but
technically
like
we,
don't
have
to
do
that
right.
Everything
all
of
that
can
be
modeled
like
we've
taken
calcium,
all
just
for
testing
like
what
kind
of
work
workflow.
We
want
to
support.
I
kind
of
understand
like
what
is
the
purpose
of
using
vote.
I
kind
of
understand
also
like
different
ways
to
do
that.
D
It
could
be
basically
like,
if
you
put
this
snippet
in
your
github
serum
you're,
gonna
throw
the
credentials.
So
this
is
what
you
need.
Basically,
as
long
as
you
probably
configure
everything,
so
it
would
try
to
understand
like
what
we
could
do
better
winter,
like
besides
us
doing
these
like
or
free
lines
of
the
code,
indicative,
say
I'm
off
today.
A
I'm
sorry
I
was
typing
on
me
off
muted
yeah,
though
I
agree,
Camille
and
so
we've
got.
You
know
the
customer
that
that
contributed.
This
identity.
Api
thing
is
a
heavy
volt
user.
I
just
actually
reached
out
to
them
again
on
onslaught
there
on
our
to
talk
because
I,
don't
remember
their
use
cases
I,
don't
think
I
was
involved
with
them
originally
like
what
are
they
doing
with
the
secrets
once
they
have
them
right
that
that's
the
real
big
question
right
like
and
so
that's
why
I
wanted
us
these
steps
here
again.
A
I
think
that
Steve's
point
was
like
I
wanted
to
use
it
myself,
like
let's
say:
I
was
an
AWS
and
I
had
volt
and
I
wanted
to
deploy
a
UCAS
or
or
deploy
to
lambda
or
something.
How
would
I
use
volt
to
do
that?
Right,
like
ball,
creates
temporary
AWS.
You
know
access
key,
that's
great.
So
my
my
theoretical
workflow,
but
again
I,
don't
know
how
is
I
asked
both
for
temporary
AWS
credentials.
It
creates
them.
You
know,
with
an
hour
or
whatever
to
expire.
I
use
those
credentials
to
run.
A
A
But
how
is
that
reflective
of
the
real
world?
I,
don't
know,
I
mean
that's
Brandon's
opinion
and
so
I'll
also
work
on
gathering
the
specific
use
case
from
this
advanced
user
and
that
I
know
we've
been
working
with
I
think
they're,
two
point
AWS
but
I'm
not
sure,
but
again
like
that's
where
it
stops
even
might
understand.
You
know
exactly
what
they're
doing
so.
I
can
fix
that.
B
One
question
I
have
is
where
the
identity
identity
API
comes
in,
like.
Why
would
you
want
to
use
the
identity
of
a
specific
user
who
run
the
job
I?
Couldn't
that
cause
like
my
job,
to
fail,
for
example,
because
I'm
a
developer
but
a
maintainer
job
to
succeed
because
he's
a
maintainer,
yes
Morales
I,
think.
A
That
the
use
case
for
the
identity
API
was
to
solve
all
of
this
and
one
kind
of
go
right,
which
was
how
do
I
get
secret
of
all?
How
do
I
authenticate
the
right?
People
are
doing
the
right
kind
of
jobs
and
how
do
I
authenticate
civil
right
so
I
think
they
have
again
I'm
a
little
bit
guessing,
but
I'm
pretty
sure
they
have.
You
know
all
that
right
where
user
identities
are
centralized,
so
get
the
identity
of
the
user
running
a
job
that
ran
the
job,
authenticate
that
user
against
LDAP.
A
B
A
B
Yeah
but
I
don't
want
my
CI
to
fail
just
because
I'm,
just
a
developer,
does
your
name.
I,
shouldn't
and
I
shouldn't
know
the
secrets,
but
doesn't
mean
that
my
CI
job
would
fail
if
I
want
my
CI
job
to
pass.
I
would
have
to
go
request
access
to
have
these
secrets
available
to
my
specific
job,
which
to
me
doesn't
seem
to
be
make
sense.
It
might
be
I'm
completely
misunderstanding
the
use
case,
yeah
I,
don't
know
I
I
might.
A
C
A
B
A
Yeah
of
interest,
the
the
it
would
be
another
another
customer
that
we
need
to
talk
to,
although
their
maturity
level
will
focus
is
not
much
past.
Ours
I
mean
it
is
because
they
have
people
that
have
experience
with
it,
but
get
LAN
infrastructure
team
was
talking
about
in
implementing
vaults
over
what
we're
doing
today.
So
it'd
be
very
interesting
good.
A
C
C
A
A
We
were
we're
99%
sure
it's
got
to
be
in
the
runner,
not
in
rails
from
a
security
and
a
implementation
perspective
it
being
in
the
runner
should
be
not
that
hard
famous
last
product
manager,
words,
but
the
real
way
to
figure
that
out
is
going
to
be
to
get
time
to
invest
in
a
proof
of
concept
right,
similar
to
what
we
would
have
done
with
Windows.
How
do
we
known
how
big
windows
was?
We
continue?
B
A
Not
sure
that
that's
for
engineering
to
decide
for
in
my
head,
it
could
be
right,
you
know
a
documentation
or
a
corner
integrating
with
a
vault
and
right,
like
the
output
of
it
is
like
this
is
how
you
integrate
with
vault
and
it's
gross
cuz.
It's.
You
know,
10
lines
of
a
CI
script,
but
we
know
we're
gonna
come
back
to
it
and
make
it
better
right.
Like
I,
don't
know,
that's
that's
my
poor
sense.
B
And
maybe
we
should
like
to
find
late
guy,
I
guess
Tomas.
We
gave
a
good
example
on
like
on
Yemen
level,
how
to
integrate
with
what
like,
should
we
do
like
the
Mossad,
or
should
we
do
secrets
and
where
to
get
to
these
secrets
from
and
so
on,
and
so
forth
like
we
can
start
at
a
young
level
and
that
actually
thing
of
like
doing
the
park
according
to
that
idea
of
it.
A
A
B
B
D
So
what
we
could
do
today
is
figure
out
like
an
installed
work
somewhere
figure
out
a
set
of
comments
to
like
to
integrate
default.
Try
to
perform
some
kind
of
deployment
requesting
I,
don't
know
temporary
AWS
credentials
or
a
temporary
certificate
to
access
kubernetes,
because
this
is
the
main
purpose
and
and
figure
out
like
how
it
weenie
feeds
we've,
like
all
our
existing
features
like
secret
variables,
protected
branches,
protected
environments
and
then
figure
out.
D
D
Basically,
Suffolk
Anandi
along
these
lines
on
doing
like
runner,
call
some
API
endpoint,
request
secrets
that
has
limited
time
as
Brandon
is
saying,
because
I
I
see
that
this
is
defined
on
the
vault
really
like
for
how
long
the
given
secret
can
be
used
and
then
maybe
like
run
or
perform
some
kind
of
in
up
at
the
end
when
it
sees
that
job
is
finished.
But
I
I.
D
Think
that,
like
everything
really
on
the
higher
level,
is
more
important
now
because
kind
of
rather
interaction,
we
can
model
with
a
key
top
CIA
mole,
but
I
think
that
we
need
to
solve
like
how
integrate
with
github,
who
creates
secrets.
Who
is
allowed,
how
we
are
taught
in
the
authenticate,
with
the
vault,
how
we
translate
to
like
the
protected
branches
and
for
our
months
how
it
relates
to
secret
for
Abel's.
A
Okay,
but
in
my
mind
some
of
that
comes
pre
and
some
of
that
post,
POC,
probably
right
or
or
do
you
think,
it's
not
I-
guess
I'm
trying
that,
like
that,
her
all
that
into
one
bucket
like
we
could,
if
we
had
a
good
flow,
we
could
then
work
on
PFC
and
POC
would
have
to
solve.
Authentication
PSC
would
have
to
solve
it
wouldn't
have
to,
but
POC
wouldn't
have
to
solve.
D
I'm,
not
sure
I
think
that
we
don't
have
to
solve
that
yet,
but
they
think
that
we
have
to
be
aware
how
it
could
be
solved.
Having
that
in
mind,
because
like
for
example,
if
we
we
talked
Brenda
about
like
installing
photon
the
kubernetes
cluster,
but
probably
like
a
light
works
with
the
environment,
scope,
maybe
like
we
allow
you
to
install
multiple
vote,
integrations
that,
like
ones
that
are
less
protected
and
the
others
that
are
more
protected,
or
maybe
we
just
fall
back
to
like
to
the
Scopes
that
are
defining
default.
D
So
it's
kind
of
like
connected
with
the
permission
model
and
I'm
personally
I,
don't
have
to
like
how
this
flow
gonna
look
like
so
I
feel
that
we
have
to
to
play
with
different
approaches:
kind
of
really
like
testing
other
words
work
by
us
and
trying
to
translate
that
into
configuration
and
I
probably
talked
with
this
customer.
That
is
highly
part
users
like
what
is
they
workflow
really
what
they
are
doing.
B
Yeah
I
think
configuration
wise.
It
would
make
more
sense
on
the
runner
as
well
like
having
and
the
Tamil
fight
like
how
to
enter
the
gate,
but
default.
It's
done
like
only
the
dev
ops.
People
like
the
administrators
of
the
runners,
have
access
to
doesn't
know
how
to
do
that.
But
you
asked
me
as
a
developer.
I
can
echo
out
the
variable
if
I
want
you
and
know
that
if
I
really
want
to
be
sneaky.
D
Allow
everyone
to
access
some
kind
of
credentials
like
every
developer
that
are
limited
and
allow
them
to
deploy
like
QA
application
or
review
application.
But
on
the
other
hand,
I
would
also
get
some
kind
of
information
about
the
LD,
think
and
write
who
did
request
when
and
how
he
did
interact
with
his
talk-
and
this
is
this-
is
like
the
primary
differentiating
factor.
I
think
McQueen
evolved
and
secured
variables.
D
That
would
give
some
difference
on
the
product
side,
I
mean
technically
rights
and
an
endless
wonder,
maybe
like
the
solution
here
like
it's,
not
even
that
little
our
honor
is
aware
of
the
world.
Maybe
it's
like
the
guitar
owner
has
additional
set
of
their
ApS
that
it
calls
flu,
rice
and
rice
can
afraid
for
votes
the
data
without
resisting
them
kind
of
like
meeting
obstruction
and
additionally
authenticating
because
on
one
hand,
make
it
good.
But
this
is
kind
of
like
going
to
technical
aspect.
D
Reading
on
one
hand,
you
could
write
magrunner
directly
talk
to
the
first
party
and
because
from
there,
but
on
the
other
hand
it
could
be
like
a
fun
dirty,
see
like
your
proxy,
that
s
alike
can
authenticate
you
and
authorize,
but
it
doesn't
really
like
care
about
what
is
like
being
for
farted,
but
just
to
provide
kind
of
like
a
common
lie
here,
where
we
are
not
really
making
Krannert
to
implement
vaults.
But
rather
we
make
you
rather
increments.
D
C
Posted
the
bottom
of
the
agenda,
doc,
there's
the
link
to
the
epic
and
a
handbook,
discussion
and
change
around
like
the
process.
They
want
to
use
for
the
infer
team
using
vault
and
it
looks
like
it's
Alex
and
selca
who's
kind
of
driving
it
mostly
from
like
on
the
end
individual
engineers
I
had
driving
the
changes,
so
they
could
be
the
people
commenting
in
there
are
the
people
who
we
should
talk
to
you
for
an
internal,
yes,
yeah.
B
C
C
A
I
think
that's
what
we
search.
They
should
schedule
in
the
Levantine,
so
I
think
we
should
open
a
new
issue
for
that
and
make
sure
that
that's
going
to
need
two
things,
one.
What
are
the
answers
we
need
in
order
to
actually
execute
on
the
groom
concept
right
like
workflow
and
two?
What
are
the?
What
are
the
questions
that
need
to
be
considered
during
the
proof-of-concept
so
that
we
don't
so
we
make
valuable
use
of
that
time
and
I.
A
Think
out
of
that
comes
the
direction
for
the
next
one,
so
I
think
that's
what
I
want
to
do
is
open
all
proof
of
concept,
issue
right
and
discuss
like
again
it
can
be
at
first.
It
can
be
the
random
idea
of
get
temporary
any
less
credentials
and
appointed
us.
Maybe
we
can
talk
with
or
look
at,
and
ideally
we
would
maybe
do
proof
of
concept
this
on
something
give
up.
A
A
A
C
C
Okay,
so
yeah
I
think,
let's
create
a
new
POC
issue
with
it
scoped
as
narrowly
as
we
can
and
as
clear
as
we
can
then
Brendon.
We
just
need
to
kind
of
figure
out
where
this
lies
with
the
progress
is
for
the
other
runner
stuff.
Yeah,
that's
right.
Let's
get
that
issue
and
not
before
we
necessarily
look
settle
on
the
priorities.
Yep.