diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..c9a15b9
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,10 @@
+read_secrets:
+  image: vault:latest
+  script:
+    - echo $CI_COMMIT_REF_NAME
+    - echo $CI_COMMIT_REF_PROTECTED
+    - export VAULT_ADDR=http://vault.bildme.ru
+    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=gitlabci-role jwt=$CI_JOB_JWT)"
+    - export PASSWORD="$(vault kv get -field=password secret/gitlab/db1)"
+    - echo $PASSWORD
+  when: manual
diff --git a/docs/vault-gitlab-ci.md b/docs/vault-gitlab-ci.md
new file mode 100644
index 0000000..42c2591
--- /dev/null
+++ b/docs/vault-gitlab-ci.md
@@ -0,0 +1,48 @@
+# Подключаем внешний вольт к Gitlab-CI
+
+1. настраиваем метод jwt
+
+```bash
+vault auth enable jwt
+vault write auth/jwt/config \
+  jwks_url="https://git.realmanual.ru/-/jwks" \
+  bound_issuer="git.realmanual.ru"
+```
+
+2. создаем тестовый секрет
+
+```bash
+vault kv put secret/gitlab/db1 password='pa$$w0rd'
+```
+
+3. настраиваем политику доступа к конкретному секрету
+
+```bash
+vault policy write gitlabci-policy - <<EOF
+path "secret/data/gitlab/db1" {
+  capabilities = [ "read" ]
+}
+EOF
+```
+
+4. создаем роль
+
+```bash
+vault write auth/jwt/role/gitlabci-role - <<EOF
+{
+  "role_type": "jwt",
+  "policies": ["gitlabci-policy"],
+  "token_explicit_max_ttl": 60,
+  "user_claim": "user_email",
+  "bound_claims_type": "glob",
+  "bound_claims": {
+    "project_id": "42",
+    "ref_protected": "true",
+    "ref_type": "tag",
+    "ref": "auto-deploy-*"
+  }
+}
+EOF
+```
+
+5. смотрим пример [.gitlab-ci.yml](../.gitlab-ci.yml)