Creating a Keytab File
Learn how to create a Kerberos keytab file for secure, automated authentication without human intervention.
Securely Using Keytab Files in GitLab CI/CD
Using keytab files in your CI/CD pipelines can enhance security, but it requires careful handling to avoid exposing sensitive information. This guide provides best practices for using keytab files securely in GitLab CI/CD.
Categories:
Security Concerns with Files
Storing the user.keytab file directly in the repository or in an unsecured location poses significant security risks, including unauthorized access. Even in private repositories, storing secrets in plain text is not advisable, as they may inadvertently get logged or exposed.
Protected Variables in GitLab CI/CD
GitLab CI/CD supports protected variables, which are accessible only to protected branches or tags and are masked in logs. However, while this helps secure sensitive information, binary data like keytabs may still be vulnerable.
Secrets Management
For improved security, use a secrets management solution (e.g., HashiCorp Vault, AWS Secrets Manager, or GitLab’s external vault integration) to store and retrieve the keytab file or its contents during the pipeline execution.
How to Use Protected Variables for the Principal and Keytab File
Step 1: Store the Principal
To store the principal name as a protected variable in GitLab CI/CD:
- Navigate to Settings > CI/CD > Variables in your GitLab project.
- Add a variable named
KERBEROS_PRINCIPALwith the valueuser@domain.nl. - Mark the variable as “Protected” and “Masked” to ensure it is available only to protected branches and does not get logged.
Step 2: Store the Keytab File Securely
Storing binary files like keytabs directly as variables can be challenging, as GitLab CI/CD variables are typically text-based. However, you can store binary data in an encoded format (e.g., using base64), which can be decoded into a file during the pipeline execution.
Steps to Handle the Keytab Securely:
Encode the
user.keytabfile as base64 on your local system:base64 user.keytab > user.keytab.b64Copy the contents of
user.keytab.b64and store it as a protected variable in GitLab CI/CD (e.g.,KERBEROS_KEYTAB_B64).In your
.gitlab-ci.yml, decode the base64 data and write it to a temporary file before executingkinit:ansible_provision: before_script: - echo "$KERBEROS_KEYTAB_B64" | base64 -d > user.keytab - chmod 600 user.keytab # Restrict permissions to the file script: - kinit "$KERBEROS_PRINCIPAL" -k -f -t user.keytab - ansible-playbook playbook.yml after_script: - rm -f user.keytab # Clean up the file after use
This approach ensures that the keytab file is created temporarily during the pipeline execution and is removed afterward, mitigating the risk of exposure.
Can We Pass the Keytab Value on the Command Line with kinit?
Unfortunately, the kinit command does not support passing keytab contents directly on the command line. It requires the file path via the -t option. Hence, creating a temporary file from the variable (as outlined above) is necessary before executing kinit.
If you prefer to avoid creating temporary files, consider exploring alternative Kerberos authentication methods or tools that can handle keys in memory, although this is not standard with kinit.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified August 27, 2025: phx gitlab draft C2-633 (4b40215)