From 6ad05831ed1ca107ec311d5fb519c4c383f554fe Mon Sep 17 00:00:00 2001 From: fdegier Date: Fri, 18 Jul 2025 15:12:44 +0200 Subject: [PATCH 1/3] Add Duo Agent Platform service account docs Changelog: added EE: true --- doc/user/gitlab_duo/setup.md | 22 +++++++++++++++++++ .../components/duo_workflow_settings.vue | 12 +++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/doc/user/gitlab_duo/setup.md b/doc/user/gitlab_duo/setup.md index ef5c6e668198bd..5bed3a915a603e 100644 --- a/doc/user/gitlab_duo/setup.md +++ b/doc/user/gitlab_duo/setup.md @@ -125,3 +125,25 @@ These tests are performed: For GitLab instances earlier than version 17.10, if you are encountering any issues with the health check for: - GitLab-hosted Duo, see the [troubleshooting page](troubleshooting.md). + +## GitLab Duo Agent Platform service account + +GitLab Duo Agent Platform optionally uses a service account as it performs actions on behalf of a user. + +The token that authenticates requests is a composite of two identities: + +- The primary author, which is the Duo Agent Platform [service account](../profile/service_accounts.md). + This service account is instance-wide and has the Developer role + on the project where the Duo Agent Platform was used. The service account is the owner of the token. +- The secondary author, which is the human user who submitted the quick action. + This user's `id` is included in the scopes of the token. + +This composite identity ensures that any activities authored by Duo Agent Platform are +correctly attributed to the Duo Agent Platform service account. +At the same time, the composite identity ensures that there is no +[privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) for the human user. + +This [dynamic scope](https://github.com/doorkeeper-gem/doorkeeper/pull/1739) +is checked during the authorization of the API request. +When authorization is requested, GitLab validates that both the service account +and the user who originated the quick action have sufficient permissions. diff --git a/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue b/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue index 39c4bb61f7bdbf..d6d54486182110 100644 --- a/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue +++ b/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue @@ -12,6 +12,7 @@ import { s__, sprintf } from '~/locale'; import axios from '~/lib/utils/axios_utils'; import { createAlert } from '~/alert'; import { visitUrlWithAlerts } from '~/lib/utils/url_utility'; +import { helpPagePath } from '~/helpers/help_page_helper'; export default { name: 'DuoWorkflowSettings', @@ -37,6 +38,11 @@ export default { isLoading: false, }; }, + computed: { + serviceAccountHelpPath() { + return helpPagePath('user/gitlab_duo/setup#gitlab-duo-agent-platform-service-account'); + }, + }, methods: { enableWorkflow() { this.isLoading = true; @@ -201,7 +207,11 @@ export default { 'AiPowered|When you turn on GitLab Duo Agent Platform, a service account is created.', ) }} - + {{ s__('AiPowered|What is the Duo Agent Platform service account?') }}

-- GitLab From 96c8d8727b48ba3ad2f852a79daf2ece341a11cd Mon Sep 17 00:00:00 2001 From: Suzanne Selhorn Date: Mon, 21 Jul 2025 08:49:00 -0700 Subject: [PATCH 2/3] Moved content to new page --- doc/user/duo_agent_platform/security.md | 26 +++++++++++++++++++++++++ doc/user/gitlab_duo/setup.md | 22 --------------------- 2 files changed, 26 insertions(+), 22 deletions(-) create mode 100644 doc/user/duo_agent_platform/security.md diff --git a/doc/user/duo_agent_platform/security.md b/doc/user/duo_agent_platform/security.md new file mode 100644 index 00000000000000..fbc7f1f3d6cba0 --- /dev/null +++ b/doc/user/duo_agent_platform/security.md @@ -0,0 +1,26 @@ +--- +stage: AI-powered +group: Duo Workflow +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: GitLab Duo Agent Platform authentication and authorization +--- + +GitLab Duo Agent Platform uses a service account to perform actions on behalf of a user. + +The token that authenticates requests is a composite of two identities: + +- The primary author, which is the Duo Agent Platform [service account](../profile/service_accounts.md). + This service account is instance-wide and has the Developer role + on the project where the Duo Agent Platform was used. The service account is the owner of the token. +- The secondary author, which is the human user who submitted the quick action. + This user's `id` is included in the scopes of the token. + +This composite identity ensures that any activities authored by Duo Agent Platform are +correctly attributed to the Duo Agent Platform service account. +At the same time, the composite identity ensures that there is no +[privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) for the human user. + +This [dynamic scope](https://github.com/doorkeeper-gem/doorkeeper/pull/1739) +is checked during the authorization of the API request. +When authorization is requested, GitLab validates that both the service account +and the user who originated the quick action have sufficient permissions. diff --git a/doc/user/gitlab_duo/setup.md b/doc/user/gitlab_duo/setup.md index 5bed3a915a603e..ef5c6e668198bd 100644 --- a/doc/user/gitlab_duo/setup.md +++ b/doc/user/gitlab_duo/setup.md @@ -125,25 +125,3 @@ These tests are performed: For GitLab instances earlier than version 17.10, if you are encountering any issues with the health check for: - GitLab-hosted Duo, see the [troubleshooting page](troubleshooting.md). - -## GitLab Duo Agent Platform service account - -GitLab Duo Agent Platform optionally uses a service account as it performs actions on behalf of a user. - -The token that authenticates requests is a composite of two identities: - -- The primary author, which is the Duo Agent Platform [service account](../profile/service_accounts.md). - This service account is instance-wide and has the Developer role - on the project where the Duo Agent Platform was used. The service account is the owner of the token. -- The secondary author, which is the human user who submitted the quick action. - This user's `id` is included in the scopes of the token. - -This composite identity ensures that any activities authored by Duo Agent Platform are -correctly attributed to the Duo Agent Platform service account. -At the same time, the composite identity ensures that there is no -[privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) for the human user. - -This [dynamic scope](https://github.com/doorkeeper-gem/doorkeeper/pull/1739) -is checked during the authorization of the API request. -When authorization is requested, GitLab validates that both the service account -and the user who originated the quick action have sufficient permissions. -- GitLab From 2b956519176945db74e67cdfcc80ec28b042b681 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Caplette?= Date: Mon, 21 Jul 2025 18:27:30 -0400 Subject: [PATCH 3/3] Fix help path --- .../ai/settings/components/duo_workflow_settings.vue | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue b/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue index d6d54486182110..d7e46cda2ca99e 100644 --- a/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue +++ b/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue @@ -40,7 +40,7 @@ export default { }, computed: { serviceAccountHelpPath() { - return helpPagePath('user/gitlab_duo/setup#gitlab-duo-agent-platform-service-account'); + return helpPagePath('user/duo_agent_platform/security'); }, }, methods: { -- GitLab