{"id":24176546,"url":"https://github.com/splunk/vault-plugin-secrets-gitlab","last_synced_at":"2025-10-17T15:51:37.340Z","repository":{"id":37939427,"uuid":"387905025","full_name":"splunk/vault-plugin-secrets-gitlab","owner":"splunk","description":"Vault Plugin for Gitlab Project Access Token","archived":false,"fork":false,"pushed_at":"2024-09-11T00:27:16.000Z","size":193,"stargazers_count":51,"open_issues_count":17,"forks_count":10,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-05-07T15:09:41.703Z","etag":null,"topics":["gitlab","hacktoberfest","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/splunk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-20T20:20:37.000Z","updated_at":"2025-04-15T12:49:51.000Z","dependencies_parsed_at":"2024-06-19T04:08:47.429Z","dependency_job_id":"8ab3cbb3-4902-45cc-b530-95d4e438b906","html_url":"https://github.com/splunk/vault-plugin-secrets-gitlab","commit_stats":{"total_commits":42,"total_committers":6,"mean_commits":7.0,"dds":0.3571428571428571,"last_synced_commit":"f511134d85af05c31659efe832cf52f8320cb68a"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fvault-plugin-secrets-gitlab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fvault-plugin-secrets-gitlab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fvault-plugin-secrets-gitlab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fvault-plugin-secrets-gitlab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/splunk","download_url":"https://codeload.github.com/splunk/vault-plugin-secrets-gitlab/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252902614,"owners_count":21822261,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gitlab","hacktoberfest","vault"],"created_at":"2025-01-13T03:16:26.193Z","updated_at":"2025-10-17T15:51:37.282Z","avatar_url":"https://github.com/splunk.png","language":"Go","readme":"# Vault Plugin for Gitlab Project Access Token\n\n[![build-status-badge]][actions-page]\n[![go-report-card-badge]][go-report-card]\n[![codecov-badge]][codecov]\n![go-version-badge]\n\nThis is a backend plugin to be used with Vault. This plugin generates [Gitlab Project Access Tokens][pat]\n\n- [Requirements](#requirements)\n- [Getting Started](#getting-started)\n  - [Usage](#usage)\n- [Design Principles](#design-principles)\n- [Development](#development)\n- [Contribution](#contribution)\n- [License](#license)\n\n## Requirements\n\n- Gitlab instance with **13.10** or later for API compatibility\n- You need **14.1** or later to have access level\n- Self-managed instances on Free and above. Or, GitLab SaaS Premium and above\n- a token of a user with maintainer or higher permission in a project\n\n- Lifting API rate limit for the user whose token will be used in this plugin to generate/revoke project access tokens. Admin of self-hosted can check [this doc][lift rate limit] to allow specific users to bypass authenticated request rate limiting. For SaaS Gitlab, I have not confirmed how to lift API limit yet.\n\n## Getting Started\n\nThis is a [Vault plugin] meant to work with Vault. This guide assumes you have already installed\nVault and have a basic understanding of how Vault works.\n\nOtherwise, first read [how to get started with Vault][vault-getting-started].\n\nTo learn specifically about how plugins work, see documentation on [Vault\nplugins][vault plugin].\n\n### Usage\n\n```sh\n# Please mount a plugin, then you can enable a secret\n$ vault secrets enable -path=gitlab vault-plugin-secrets-gitlab\nSuccess! Enabled the vault-plugin-secrets-gitlab secrets engine at: gitlab/\n\n# configure the /config backend. You must supply a token which can generate project access tokens\n$ vault write gitlab/config base_url=\"https://gitlab.example.com\" token=$GITLAB_TOKEN \n\n# see supported paths\n$ vault path-help gitlab/\n$ vault path-help gitlab/config\n\n# generate an ephemeral gitlab token\n$ vault write gitlab/token id=1 name=ci-token scopes=api,write_repository\nKey           Value\n---           -----\nid            12345\nname          ci-token\nscopes        [api write_repository]\ntoken         REDACTED_TOKEN\n\n# create a role\n$ vault write gitlab/roles/ci-role id=1 name=project1-role scopes=read_api,read_repository\nKey           Value\n---           -----\nrole_name     ci-role\nid            1\nname          project1-role\nscopes        [read_api read_repository]\ntoken_ttl     86400s\n\n# generate an ephemeral gitlab token for ci-role\n$ vault write gitlab/token/ci-role\nKey           Value\n---           -----\nid            12346\nname          project1-role\nscopes        [read_api read_repository]\ntoken         REDACTED_TOKEN\nexpires_at    2021-09-13\n```\n\n## Design Principles\n\nThe Gitlab Vault secrets plugin dynamically generates gitlab project access token based on passed parameters. This enables users to gain access to Gitlab projects without needing to create or manage project access tokens manually.\n\nYou can find [detail design principles](docs/design-principles.md)\n\n## Development\n\n## Full dev environment\n\nTo be coming...\n\nTODO: spin up a gitlab instance in docker\n\n## Developing with an existing Gitlab instance\n\nRequirements:\n\n- vault\n\n```sh\n# Build binary in plugins directory, and spin up dev vault\nmake vault-only\n\n# In New Terminal\nexport VAULT_ADDR=http://localhost:8200\nexport GITLAB_URL=\"https://gitlab.example.com\"\nexport GITLAB_TOKEN=TOKEN\n\n\n# enable secrets backend and configuration\n./scripts/setup_dev_vault.sh\n```\n\nYou can then issue a project access following above usage.\n\n### Tests\n\n```sh\n# run unit tests\nmake test\n\n# run subset of tests\nmake test TESTARGS='-run=TestConfig'\n\n# run acceptance tests (uses Vault and Gitlab Docker containers against the compiled plugin)\nmake acc-test\n\n# generate a code coverage report\nmake report\nopen coverage.html\n\n```\n\n## Contribution\n\nThis plugin was initially created as Hackathon project to enahance ephemeral credential suite. Another example is [vault-plugin-secrets-artifactory]. Contribution in a form of `issue`, `merge request` and donation will always be welcome.\n\nPlease refer [CONTRIBUTING.md](CONTRIBUTING.md) and [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) before contributing.\n\n## License\n\n[Apache Software License version 2.0](LICENSE)\n\n[pat]: https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html\n[lift rate limit]: https://docs.gitlab.com/ee/user/admin_area/settings/user_and_ip_rate_limits.html#allow-specific-users-to-bypass-authenticated-request-rate-limiting\n[vault-plugin-secrets-artifactory]: https://github.com/splunk/vault-plugin-secrets-artifactory\n[vault plugin]:https://www.vaultproject.io/docs/internals/plugins.html\n[vault-getting-started]:https://www.vaultproject.io/intro/getting-started/install.html\n[actions-page]:https://github.com/splunk/vault-plugin-secrets-gitlab/actions\n[build-status-badge]:https://github.com/splunk/vault-plugin-secrets-gitlab/workflows/test.yml/badge.svg\n[codecov]:https://codecov.io/gh/splunk/vault-plugin-secrets-gitlab\n[codecov-badge]:https://codecov.io/gh/splunk/vault-plugin-secrets-gitlab/branch/main/graph/badge.svg\n[go-report-card]:https://goreportcard.com/report/github.com/splunk/vault-plugin-secrets-gitlab\n[go-report-card-badge]:https://goreportcard.com/badge/github.com/splunk/vault-plugin-secrets-gitlab\n[go-version-badge]:https://img.shields.io/github/go-mod/go-version/splunk/vault-plugin-secrets-gitlab\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fvault-plugin-secrets-gitlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsplunk%2Fvault-plugin-secrets-gitlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fvault-plugin-secrets-gitlab/lists"}