Skip to main content
  1. Docs
  2. Administration
  3. Access & Identity
  4. OIDC Issuers
  5. GitLab

Configuring OpenID Connect for GitLab

    This document outlines the steps required to configure Pulumi Cloud to accept GitLab id_tokens and exchange them for organization access tokens.

    This guide walks through the Pulumi Cloud UI. You can also configure OIDC Issuers via the REST API or the OidcIssuer resource in the Pulumi Service provider.
    This guide demonstrates using organization tokens. Depending on your Pulumi edition, you can also use personal or team tokens by adjusting the token type in the authorization policies and the requested-token-type parameter.

    Prerequisites

    • You must be an admin of your Pulumi organization.
    This guide provides step-by-step instructions based on the official provider documentation, which is subject to change. For the most current information, refer to the official GitLab documentation.

    Register the OIDC Issuer

    1. Navigate to Settings → Access Management → OIDC Issuers and select Register issuer.
    2. Name the issuer and set the issuer URL to https://gitlab.com/ (or your GitLab self-managed URL).
    3. Submit the form.

    Configure the authorization policies

    1. Select the issuer name.

    2. Set Decision to Allow.

    3. Set Token type to Organization.

    4. Add a policy to allow OIDC and configure the audience and subject claims for your organization and repositories:

      • Aud: urn:pulumi:org:<org-name>
      • Sub: project_path:<namespace>/<project>:ref_type:branch:ref:<branch-name>

      For more information about GitLab token claims, see the official GitLab documentation.

    5. Select Save policies.

    Set up GitLab CI to use Pulumi OIDC authentication

    In your .gitlab-ci.yml, configure the job to request an ID token and use it with the Pulumi CLI:

    variables:
  PULUMI_ORG: "org-name"

.pulumi-oidc:
  image:
    name: pulumi/pulumi:latest
    entrypoint: [""]
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: "urn:pulumi:org:${PULUMI_ORG}"
  before_script:
    - pulumi login --oidc-token "$GITLAB_OIDC_TOKEN" --oidc-org "$PULUMI_ORG" --cloud-url https://api.pulumi.com

    Replace org-name with your Pulumi organization name.

    Sample GitLab CI pipeline

    variables:
  PULUMI_ORG: "org-name"
  STACK_NAME: "org-name/project-name/stack-name"

stages:
  - preview
  - deploy

.pulumi-oidc:
  image:
    name: pulumi/pulumi:latest
    entrypoint: [""]
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: "urn:pulumi:org:${PULUMI_ORG}"
  before_script:
    - pulumi login --oidc-token "$GITLAB_OIDC_TOKEN" --oidc-org "$PULUMI_ORG" --cloud-url https://api.pulumi.com

pulumi-preview:
  extends: .pulumi-oidc
  stage: preview
  script:
    - cd infrastructure
    - npm ci
    - pulumi preview --stack "$STACK_NAME"
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

pulumi-up:
  extends: .pulumi-oidc
  stage: deploy
  script:
    - cd infrastructure
    - npm ci
    - pulumi up --stack "$STACK_NAME" --yes
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  environment:
    name: production