Retrieving pipeline triggerer from GitLab Machine ID usage

[joshuabezaleel]

Hi folks,

Is it possible to retrieve the user identtiy e.g. email from those who trigger a particular pipeline that will connect to the application onboarded behind Teleport? Just like how we could parse the Teleport-Jwt-Assertion header token if we access a frontend application?

We're currently using GITLAB_USER_EMAIL for this to then paired with our RBAC but this approach might not be the most secure one since this environment variable can be overridden by user, and we were thinking it would be great if we can parse it from the connection between the GitLab, the ID token of TBOT_GITLAB_JWT from the usage of Teleport Machine ID on GitLab CI, and the onboarded application.

These are the documentation that we follow on setting up the Teleport Machine ID on our deployment GitLab CI:

• https://goteleport.com/docs/enroll-resources/machine-id/deployment/gitlab/
• https://goteleport.com/docs/enroll-resources/machine-id/access-guides/applications/

Thank you lots!

[webvictim]

@strideynet Do you have any thoughts here?

[strideynet]

This information is available from the audit logs for the bot join from GitLab - unfortunately it's not available for other purposes at the moment. It would be great to understand the use-case a little more since I've discussed this now and again and it's definitely something I'm open to.