Secure Storage of AI Data Access Tokens with GitLab Variables

Securely Storing AI Data Tokens with GitLab

To securely store AI data access tokens in GitLab, we use GitLab's CI/CD variables. These variables allow you to store sensitive information, such as access tokens, that you may need within your CI/CD pipeline without hardcoding them into your repository, where they could be exposed.

In GitLab, CI/CD variables can be stored at multiple levels:

Project-level variables apply only to a specific project.
Group-level variables are available to all projects within a given group.
Instance-level variables are available to all projects across the GitLab instance.

There are two main types of variables:

Variable which contains the value as a plain text;
File which contains the value inside a file and is injected into the job's environment.

Additionally, you can mark a variable as protected, which means it's only exposed to pipelines running on protected branches or tags, and as masked, which ensures that the value of the variable is not accidentally shown in the job logs.

For storing AI data access tokens, you would generally use project-level or group-level variables, depending on the scope at which you're using the tokens. If the token is to be used by multiple projects within the same group, a group-level variable is appropriate. For project-specific tokens, use project-level variables.

Below is a program that illustrates how to create project-level variables in GitLab using Pulumi:

import pulumi
import pulumi_gitlab as gitlab

# Provide the name of your GitLab project here
project_name = 'your-gitlab-project-name'

# You should replace 'your-ai-data-access-token' with the actual secret value,
# which you should ideally source from a secret management system or environment variable.
# Never hardcode sensitive values in your Pulumi program.
ai_data_access_token_value = "your-ai-data-access-token"

# Fetch the GitLab project you want to add variables to.
# You must know the project ID or use the name and namespace to get the ID.
project = gitlab.Project.get("project", project_name)

# Create a new GitLab project variable for the AI access token.
ai_data_access_token = gitlab.ProjectVariable("aiDataAccessToken",
    project=project.id,
    key="AI_DATA_ACCESS_TOKEN",
    value=ai_data_access_token_value,
    masked=True, # Ensures the value doesn't show up in job logs
    protected=True # Makes the variable available only in protected branches and tags
)

# Export the variable ID so you can refer to it if needed.
pulumi.export("ai_data_access_token_id", ai_data_access_token.id)

This Pulumi program retrieves a GitLab project (assuming you have already set up a GitLab provider configuration with your credentials) and creates a new CI/CD variable within that project. The token's actual value is masked and protected, making it secure for CI/CD use. These variables can then be used within your GitLab CI/CD pipelines by referencing their keys (in this case, AI_DATA_ACCESS_TOKEN).

Remember that you should treat the actual values of such variables as sensitive information and not include them in your version control. Always source sensitive values from secure locations at runtime or during Pulumi's deployment process.

For more information on using GitLab variables with Pulumi, you can visit the GitLab provider documentation: