ContextQMD
Back to Gitlabhq

Secure Files administration

doc/administration/cicd/secure_files.md

18.11.26.8 KB
Original Source

{{< details >}}

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

{{< /details >}}

{{< history >}}

{{< /history >}}

You can securely store up to 100 files for use in CI/CD pipelines as secure files. These files are stored securely outside of your project's repository and are not version controlled. It is safe to store sensitive information in these files. Secure files support both plain text and binary file types, and must be 5 MB or less.

The storage location of these files can be configured using the options described below, but the default locations are:

  • /var/opt/gitlab/gitlab-rails/shared/ci_secure_files for installations using the Linux package.
  • /home/git/gitlab/shared/ci_secure_files for self-compiled installations.

Use external object storage configuration for GitLab Helm chart installations.

Disabling Secure Files

You can disable Secure Files across the entire GitLab instance. You might want to disable Secure Files to reduce disk space, or to remove access to the feature.

To disable Secure Files, follow the steps below according to your installation.

Prerequisites:

  • You must be an administrator.

For Linux package installations

  1. Edit /etc/gitlab/gitlab.rb and add the following line:

    ruby
    gitlab_rails['ci_secure_files_enabled'] = false

  2. Save the file and reconfigure GitLab.

For self-compiled installations

  1. Edit /home/git/gitlab/config/gitlab.yml and add or amend the following lines:

    yaml
    ci_secure_files:
  enabled: false

  2. Save the file and restart GitLab for the changes to take effect.

Using local storage

The default configuration uses local storage. To change the location where Secure Files are stored locally, follow the steps below.

For Linux package installations

  1. To change the storage path for example to /mnt/storage/ci_secure_files, edit /etc/gitlab/gitlab.rb and add the following line:

    ruby
    gitlab_rails['ci_secure_files_storage_path'] = "/mnt/storage/ci_secure_files"

  2. Save the file and reconfigure GitLab.

For self-compiled installations

  1. To change the storage path for example to /mnt/storage/ci_secure_files, edit /home/git/gitlab/config/gitlab.yml and add or amend the following lines:

    yaml
    ci_secure_files:
  enabled: true
  storage_path: /mnt/storage/ci_secure_files

  2. Save the file and restart GitLab for the changes to take effect.

Using object storage

{{< details >}}

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

{{< /details >}}

Instead of storing Secure Files on disk, you should use one of the supported object storage options. This configuration relies on valid credentials to be configured already.

Consolidated object storage

{{< history >}}

  • Support for consolidated object storage was introduced in GitLab 17.0.

{{< /history >}}

Using the consolidated form of the object storage is recommended.

Storage-specific object storage

The following settings are:

  • Nested under ci_secure_files: and then object_store: on self-compiled installations.
  • Prefixed by ci_secure_files_object_store_ on Linux package installations.
SettingDescriptionDefault
enabledEnable/disable object storagefalse
remote_directoryThe bucket name where Secure Files are stored
connectionVarious connection options described below

S3-compatible connection settings

See the available connection settings for different providers.

{{< tabs >}}

{{< tab title="Linux package (Omnibus)" >}}

  1. Edit /etc/gitlab/gitlab.rb and add the following lines, but using the values you want:

    ruby
    gitlab_rails['ci_secure_files_object_store_enabled'] = true
gitlab_rails['ci_secure_files_object_store_remote_directory'] = "ci_secure_files"
gitlab_rails['ci_secure_files_object_store_connection'] = {
  'provider' => 'AWS',
  'region' => 'eu-central-1',
  'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
  'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY'
}

    [!note] If you are using AWS IAM profiles, be sure to omit the AWS access key and secret access key/value pairs:

    ruby
    gitlab_rails['ci_secure_files_object_store_connection'] = {
  'provider' => 'AWS',
  'region' => 'eu-central-1',
  'use_iam_profile' => true
}

  2. Save the file and reconfigure GitLab:

    shell
    sudo gitlab-ctl reconfigure

  3. Migrate any existing local states to the object storage.

{{< /tab >}}

{{< tab title="Self-compiled (source)" >}}

  1. Edit /home/git/gitlab/config/gitlab.yml and add or amend the following lines:

    yaml
    ci_secure_files:
  enabled: true
  object_store:
    enabled: true
    remote_directory: "ci_secure_files"  # The bucket name
    connection:
      provider: AWS  # Only AWS supported at the moment
      aws_access_key_id: AWS_ACCESS_KEY_ID
      aws_secret_access_key: AWS_SECRET_ACCESS_KEY
      region: eu-central-1

  2. Save the file and restart GitLab:

    shell
    # For systems running systemd
sudo systemctl restart gitlab.target

# For systems running SysV init
sudo service gitlab restart

  3. Migrate any existing local states to the object storage.

{{< /tab >}}

{{< /tabs >}}

Migrate to object storage

{{< history >}}

{{< /history >}}

[!warning] It's not possible to migrate Secure Files from object storage back to local storage, so proceed with caution.

To migrate Secure Files to object storage, follow the instructions below.

  • For Linux package installations:

    shell
    sudo gitlab-rake gitlab:ci_secure_files:migrate

  • For self-compiled installations:

    shell
    sudo -u git -H bundle exec rake gitlab:ci_secure_files:migrate RAILS_ENV=production