Add aud claim to CI_JOB_JWT to support Terraform

Problem to solve

The Vault integration introduced in 12.10 is really nice and a long time coming. However, when trying to provision a JWT role through Terraform, it requires a bound_audiences claim but the JWT that comes from CI_JOB_JWT does not provide such a claim therefore making it impossible to use Terraform to provision a role that can be used in Gitlab. Therefore I would like to see an aud claim added to the CI_JOB_JWT payload to support the ability to use Terraform.

Intended users

Developers building CI/CD pipelines would use this.

User experience goal

A user should be able to use Terraform to create JWT roles that Gitlab CI jobs can use to get a Vault token with a bound_audiences claim.

Proposal

Since the aud claim is supposed to identify the recipient of the JWT, perhaps we can set this to the base Vault address that is housing the secrets that Gitlab is retrieving from. This could be provided in a group or project level CI/CD variable called VAULT_ADDR which needs to be provided anyway when integrating with Vault in a pipeline. If the presence of the variable exists, add an aud claim to the CI_JOB_JWT payload.

Further details

Right now, I have to create the roles separately using the Vault CLI to bypass Terraform's requirement that a bound_audiences claim be present on the jwt role resource. This change will allow us to have a fully automated solution for provisioning secrets management for teams.

Permissions and Security

Don't see any additional permissions or security needs beyond what is currently in place.

Documentation

Terraform requirements for JWT Auth role: https://www.terraform.io/docs/providers/vault/r/jwt_auth_backend_role.html

Availability & Testing

Any change to the CI_JOB_JWT payload would need to be regression tested but since it's a small additive change I would think the testing effort would not be very large.

What does success look like, and how can we measure that?

Success would be demonstrating a fully automated solution using Terraform to provision a new JWT role that Gitlab can use in pipelines.