Secure Files administration
-
Introduced in GitLab 14.8 with a flag named
ci_secure_files
. Disabled by default. -
Generally available in GitLab 15.7. Feature flag
ci_secure_files
removed.
You can securely store up to 100 files for use in CI/CD pipelines as secure files. These files are stored securely outside of your project’s repository and are not version controlled. It is safe to store sensitive information in these files. Secure files support both plain text and binary file types, and must be 5 MB or less.
The storage location of these files can be configured using the options described below, but the default locations are:
-
/var/opt/gitlab/gitlab-rails/shared/ci_secure_files
for installations using the Linux package. -
/home/git/gitlab/shared/ci_secure_files
for self-compiled installations.
Use external object storage configuration for GitLab Helm chart installations.
Disabling Secure Files
You can disable Secure Files across the entire GitLab instance. You might want to disable Secure Files to reduce disk space, or to remove access to the feature.
To disable Secure Files, follow the steps below according to your installation.
Prerequisite:
- You must be an administrator.
For Linux package installations
-
Edit
/etc/gitlab/gitlab.rb
and add the following line:gitlab_rails['ci_secure_files_enabled'] = false
-
Save the file and reconfigure GitLab.
For self-compiled installations
-
Edit
/home/git/gitlab/config/gitlab.yml
and add or amend the following lines:ci_secure_files: enabled: false
-
Save the file and restart GitLab for the changes to take effect.
Using local storage
The default configuration uses local storage. To change the location where Secure Files are stored locally, follow the steps below.
For Linux package installations
-
To change the storage path for example to
/mnt/storage/ci_secure_files
, edit/etc/gitlab/gitlab.rb
and add the following line:gitlab_rails['ci_secure_files_storage_path'] = "/mnt/storage/ci_secure_files"
-
Save the file and reconfigure GitLab.
For self-compiled installations
-
To change the storage path for example to
/mnt/storage/ci_secure_files
, edit/home/git/gitlab/config/gitlab.yml
and add or amend the following lines:ci_secure_files: enabled: true storage_path: /mnt/storage/ci_secure_files
-
Save the file and restart GitLab for the changes to take effect.
Using object storage
Instead of storing Secure Files on disk, you should use one of the supported object storage options. This configuration relies on valid credentials to be configured already.
Read more about using object storage with GitLab.
Object storage settings
The following settings are:
- Nested under
ci_secure_files:
and thenobject_store:
on self-compiled installations. - Prefixed by
ci_secure_files_object_store_
on Linux package installations.
Setting | Description | Default |
---|---|---|
enabled | Enable/disable object storage | false |
remote_directory | The bucket name where Secure Files are stored | |
connection | Various connection options described below |
S3-compatible connection settings
See the available connection settings for different providers.
For Linux package installations:
-
Edit
/etc/gitlab/gitlab.rb
and add the following lines, but using the values you want:gitlab_rails['ci_secure_files_object_store_enabled'] = true gitlab_rails['ci_secure_files_object_store_remote_directory'] = "ci_secure_files" gitlab_rails['ci_secure_files_object_store_connection'] = { 'provider' => 'AWS', 'region' => 'eu-central-1', 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY' }
If you are using AWS IAM profiles, be sure to omit the AWS access key and secret access key/value pairs:gitlab_rails['ci_secure_files_object_store_connection'] = { 'provider' => 'AWS', 'region' => 'eu-central-1', 'use_iam_profile' => true }
- Save the file and reconfigure GitLab.
- Migrate any existing local states to the object storage.
For self-compiled installations
-
Edit
/home/git/gitlab/config/gitlab.yml
and add or amend the following lines:ci_secure_files: enabled: true object_store: enabled: true remote_directory: "ci_secure_files" # The bucket name connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: eu-central-1
- Save the file and restart GitLab for the changes to take effect.
- Migrate any existing local states to the object storage.
Migrate to object storage
Introduced in GitLab 16.1.
To migrate Secure Files to object storage, follow the instructions below.
-
For Linux package installations:
sudo gitlab-rake gitlab:ci_secure_files:migrate
-
For self-compiled installations:
sudo -u git -H bundle exec rake gitlab:ci_secure_files:migrate RAILS_ENV=production