1. Answers
  2. Protected Artifacts Publishing in GitLab CI

How do I set up protected artifacts publishing in GitLab CI?

In this guide, we will set up protected artifacts publishing in GitLab CI using Pulumi. We will create an S3 bucket for storing artifacts, configure the bucket with appropriate policies to ensure security, and set up a GitLab CI pipeline to publish artifacts to this bucket.

Key Points:

  • Create an S3 bucket to store artifacts.
  • Configure bucket policies to restrict access.
  • Set up GitLab CI to publish artifacts to the S3 bucket.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an S3 bucket for storing artifacts
const artifactsBucket = new aws.s3.Bucket("artifactsBucket", {
    bucket: "my-protected-artifacts-bucket",
    acl: "private", // Ensure the bucket is private
});

// Define a policy that allows read/write access from specific IAM roles
const bucketPolicy = new aws.s3.BucketPolicy("bucketPolicy", {
    bucket: artifactsBucket.bucket,
    policy: pulumi.output(artifactsBucket.bucket).apply(bucketName => JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Principal: {
                    AWS: [
                        "arn:aws:iam::ACCOUNT_ID:role/YourGitLabCIUserRole"
                    ],
                },
                Action: [
                    "s3:GetObject",
                    "s3:PutObject",
                ],
                Resource: [
                    `arn:aws:s3:::${bucketName}/*`
                ],
            },
        ],
    })),
});

// Export the bucket name and policy URL
export const bucketName = artifactsBucket.bucket;
export const bucketPolicyUrl = pulumi.interpolate`https://s3.console.aws.amazon.com/s3/buckets/${artifactsBucket.bucket}?region=${aws.config.region}&tab=permissions`;

// GitLab CI configuration (add this to your .gitlab-ci.yml file)
/*
stages:
  - build
  - deploy

build:
  stage: build
  script:
    - echo "Building the project..."
    - mkdir -p artifacts
    - echo "Build artifact content" > artifacts/build.txt
  artifacts:
    paths:
      - artifacts/

deploy:
  stage: deploy
  script:
    - echo "Deploying artifacts to S3..."
    - aws s3 cp artifacts/ s3://my-protected-artifacts-bucket/ --recursive
  only:
    - main
*/

Summary

In this guide, we created an S3 bucket with restricted access for storing artifacts. We defined a bucket policy to allow read/write access from specific IAM roles. Additionally, we provided a GitLab CI configuration to publish artifacts to the S3 bucket. This setup ensures that artifacts are securely stored and accessed only by authorized entities.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up