docs: service account instructions for gitlab (#970)

2025-06-01 10:22:43 +02:00 · 2020-06-22 15:04:36 -06:00 · 2020-06-22 15:04:36 -06:00 · ae97d280c5
commit ae97d280c5
parent 09b8d2864f
2 changed files with 18 additions and 1 deletions
--- a/docs/docs/identity-providers/gitlab.md
+++ b/docs/docs/identity-providers/gitlab.md
@ -35,14 +35,31 @@ Your `Client ID` and `Client Secret` will be displayed like below:

 4. Set `Client ID` and `Client Secret` in Pomerium's settings.

+## Service Account

-Your configuration should look like the following example: 
+To use `allowed_groups` in a policy an `idp_service_account` needs to be set in the Pomerium configuration. The service account for Gitlab uses a personal access token generated at: [gitlab.com/profile/personal_access_tokens](https://gitlab.com/profile/personal_access_tokens) with `read_api` access:
+
+![Gitlab Personal Access Token](./img/gitlab/gitlab-personal-access-token.png)
+
+
+The format of the `idp_service_account` for Gitlab is a base64-encoded JSON document:
+
+```json
+{
+  "private_token": "..."
+}
+```
+
+## Pomerium Configuration
+
+Your configuration should look like the following example:

 ```bash
 authenticate_service_url: https://authenticate.localhost.pomerium.io
 idp_provider: "gitlab"
 idp_client_id: "REDACTED"   // gitlab application ID
 idp_client_secret: "REDACTED"   // gitlab application secret
+idp_service_account: "REDACTED"   // gitlab service account
 ```

 When a user first uses pomerium to login, they will be presented with an authorization screen similar to the following depending on the scope parameters setup:
--- a/docs/docs/identity-providers/img/gitlab/gitlab-personal-access-token.png
+++ b/docs/docs/identity-providers/img/gitlab/gitlab-personal-access-token.png