Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 1.6.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Examples

    Home FortiPAM 1.6.0 Examples
    1.6.0
    1.8.0
    1.7.0
    1.6.0
    1.5.0
    1.4.0
    1.3.0
    1.2.0
    1.1.0
    1.0.0

    Integrating FortiPAM and GitLab

    Integrating FortiPAM and GitLab

    In the GitLab design, there are 3 methods to connect FortiPAM to JWT.

    • ID Token Mode (GitLab recommended)

    • Legacy $CI_JOB_JWT

    • Terraform Mode

    To integrate FortiPAM and GitLab:
    1. In the CLI console, enter the following commands to configure JWKS:
         config secret jwt-key
    edit [xxx]
     set type jwks
     set jwks-url <gitlab jwks-url>
    next
   end

      The default jwks-url of GitLab is https://[GITlab-FQDN]/oauth/discovery/keys.

      After finishing the above configuration, use show secret jwt command to check if the public key was retrieved from GitLab.

      You should see the following message:

      set key "-----BEGIN PUBLIC KEY-----"

      If the public key does not appear, use diagnose wad jwt-key refresh [key-name] command to manually retrieve the public key.

    2. In the CLI console, enter the following commands to configure the JWT user: 
       config system api-user
  edit  "git214_project_01_id_token"
   set type jwt
   set accprofile "pam_standard_user"
   set vdom "root"
   config claims
    edit "project_id"
     set value "2"
   next
   edit "iss"
    set value "gitlab214.fortipam.ca"
   next
   edit "project_path"
    set value "gitlab-instance-ff0dfc9a/robert_pj_001"
   next
  end
 next
end

      The entry names in the CLI configuration must match with those on the GitLab side.

    3. Grant secret permission to the JWT user created in step 2 on the GUI.

      Note: This step is identical to how you would normally assign secret permissions to a regular user.

    .gitlab-ci.yml example with ID token mode

     build-job:
  stage: build
  variables:
   VAULT_ADDR: https://[PAM_Addr]:443
  id_tokens:
   VAULT_ID_TOKEN:
    aud:https://[GitLab_Addr]
     script
  -echo $VAULT_ID_TOKEN
  -export TOKEN_INFO="$(curl -k https://10.59.112.15:443/auth/jwt/login -H "Content-Type:\" \"application/json"
  -d {\"jwt\":\"$VAULT_ID_TOKEN\"})"
    - echo $TOKEN_INFO
    - export Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
    - echo $Token
    - export password="$(curl -k https://[PAM_Addr]/api/v2/cmdb/secret/database/1?fieldname=Password -H "Authorization:Bearer $Token")"
    - echo $password
    - username="$(curl -k https://10.59.112.15/api/v2/cmdb/secret/database/1?fieldname=Username -H X-Authorization-Cred-Token:$Token)"		
- echo $username
    gitlab-ci.yml example with legacy $CI_JOB_JWT mode
     build-job:
  stage: build
  script: 
   -echo $CI_JOB_JWT
   -export TOKEN_INFO="$(curl -k https://[PAM_Addr]:443/auth/jwt/login -H "Content-Type:application/json" -d {\"jwt\":\"$CI_JOB_JWT\"})"
   - export Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
   - echo $TOKEN_INFO
   - export Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
   - echo $Token
   - export password="$(curl -k https://[PAM_Addr] /api/v2/cmdb/secret/database/1?fieldname=Password -H "Authorization:Bearer $Token")"		 
   - echo $password 
   - export username=$(curl -k https://[PAM_Addr]/api/v2/cmdb/secret/database/1?fieldname=Username -H X-Authorization-Cred-Token:$Token)
   - echo $username
    gitlab-ci.yml with Terraform mode
     build-job:
  stage: build
  script: 
   -ls -l
   -echo $CI_JOB_JWT
   - export TOKEN_INFO="$(curl -k https://[PAM_Addr]:443/auth/jwt/login -H "Content-Type:application/json" -d {\"jwt\":\"$CI_JOB_JWT\"})"
   - echo $TOKEN_INFO
   - export TF_VAR_Access_Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
   - echo $TF_VAR_Access_Token
   - export TF_VAR_Access_Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
   - echo $TF_VAR_Access_Token	
   - terraform init
   - terraform apply
   - cat terraform.tfstate

    Notes: The terraform configuration file (main.tf) is set as below:

     variables "Access_Token" { 
  description = "access_token which is dynamic generated by JWT auth"
 }
 terraform {
  required_provides {
   fortipam = {
   source = "fortinetdev/fortipam"
   version = "1.0.0"
  }
 }
} 
provider "fortipam" {
 base_url = "https://10.59.112.19"
 access_token = var.Access_Token
 verify_ssl = false
}
data "fortipam_secret" "usr_test" {
  path = "Linux"
  name = "Ubuntu_100"
  field = "Username"
 }
 data "fortipam_secret" "pwd" {
  path = "Linux"
  name = "Ubuntu_100"
  field = "Password" 
 }
    Previous
    Next

    Integrating FortiPAM and GitLab

    Integrating FortiPAM and GitLab

    In the GitLab design, there are 3 methods to connect FortiPAM to JWT.

    • ID Token Mode (GitLab recommended)

    • Legacy $CI_JOB_JWT

    • Terraform Mode

    To integrate FortiPAM and GitLab:
    1. In the CLI console, enter the following commands to configure JWKS:
         config secret jwt-key
    edit [xxx]
     set type jwks
     set jwks-url <gitlab jwks-url>
    next
   end

      The default jwks-url of GitLab is https://[GITlab-FQDN]/oauth/discovery/keys.

      After finishing the above configuration, use show secret jwt command to check if the public key was retrieved from GitLab.

      You should see the following message:

      set key "-----BEGIN PUBLIC KEY-----"

      If the public key does not appear, use diagnose wad jwt-key refresh [key-name] command to manually retrieve the public key.

    2. In the CLI console, enter the following commands to configure the JWT user: 
       config system api-user
  edit  "git214_project_01_id_token"
   set type jwt
   set accprofile "pam_standard_user"
   set vdom "root"
   config claims
    edit "project_id"
     set value "2"
   next
   edit "iss"
    set value "gitlab214.fortipam.ca"
   next
   edit "project_path"
    set value "gitlab-instance-ff0dfc9a/robert_pj_001"
   next
  end
 next
end

      The entry names in the CLI configuration must match with those on the GitLab side.

    3. Grant secret permission to the JWT user created in step 2 on the GUI.

      Note: This step is identical to how you would normally assign secret permissions to a regular user.

    .gitlab-ci.yml example with ID token mode

     build-job:
  stage: build
  variables:
   VAULT_ADDR: https://[PAM_Addr]:443
  id_tokens:
   VAULT_ID_TOKEN:
    aud:https://[GitLab_Addr]
     script
  -echo $VAULT_ID_TOKEN
  -export TOKEN_INFO="$(curl -k https://10.59.112.15:443/auth/jwt/login -H "Content-Type:\" \"application/json"
  -d {\"jwt\":\"$VAULT_ID_TOKEN\"})"
    - echo $TOKEN_INFO
    - export Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
    - echo $Token
    - export password="$(curl -k https://[PAM_Addr]/api/v2/cmdb/secret/database/1?fieldname=Password -H "Authorization:Bearer $Token")"
    - echo $password
    - username="$(curl -k https://10.59.112.15/api/v2/cmdb/secret/database/1?fieldname=Username -H X-Authorization-Cred-Token:$Token)"		
- echo $username
    gitlab-ci.yml example with legacy $CI_JOB_JWT mode
     build-job:
  stage: build
  script: 
   -echo $CI_JOB_JWT
   -export TOKEN_INFO="$(curl -k https://[PAM_Addr]:443/auth/jwt/login -H "Content-Type:application/json" -d {\"jwt\":\"$CI_JOB_JWT\"})"
   - export Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
   - echo $TOKEN_INFO
   - export Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
   - echo $Token
   - export password="$(curl -k https://[PAM_Addr] /api/v2/cmdb/secret/database/1?fieldname=Password -H "Authorization:Bearer $Token")"		 
   - echo $password 
   - export username=$(curl -k https://[PAM_Addr]/api/v2/cmdb/secret/database/1?fieldname=Username -H X-Authorization-Cred-Token:$Token)
   - echo $username
    gitlab-ci.yml with Terraform mode
     build-job:
  stage: build
  script: 
   -ls -l
   -echo $CI_JOB_JWT
   - export TOKEN_INFO="$(curl -k https://[PAM_Addr]:443/auth/jwt/login -H "Content-Type:application/json" -d {\"jwt\":\"$CI_JOB_JWT\"})"
   - echo $TOKEN_INFO
   - export TF_VAR_Access_Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
   - echo $TF_VAR_Access_Token
   - export TF_VAR_Access_Token=$(echo "$TOKEN_INFO" | jq -r '.["access-token"]')
   - echo $TF_VAR_Access_Token	
   - terraform init
   - terraform apply
   - cat terraform.tfstate

    Notes: The terraform configuration file (main.tf) is set as below:

     variables "Access_Token" { 
  description = "access_token which is dynamic generated by JWT auth"
 }
 terraform {
  required_provides {
   fortipam = {
   source = "fortinetdev/fortipam"
   version = "1.0.0"
  }
 }
} 
provider "fortipam" {
 base_url = "https://10.59.112.19"
 access_token = var.Access_Token
 verify_ssl = false
}
data "fortipam_secret" "usr_test" {
  path = "Linux"
  name = "Ubuntu_100"
  field = "Username"
 }
 data "fortipam_secret" "pwd" {
  path = "Linux"
  name = "Ubuntu_100"
  field = "Password" 
 }
    Previous
    Next