2024-05-14: Multiple reports of authentication failures accessing GitLab.com
Customer Impact
Tokens with infinite lifetimes were expired. This was a planned activity which was scheduled for 00:00 UTC today. Customers with expired tokens will need to start using refreshed tokens.
There's a script developed by one of our team members to get all expired group, subgroup and project access tokens. This should help users identify access tokens they need to recreate.
In some cases retrying the expired tokens are also causing rate limiting to start blocking requests when they exceed 30 failed authentication attempts in 3 minutes.
We have increased our rate limits to alleviate errors resulting from token lifetime limits implementation, from 30 attempts in a 3-minute window, to 500 attempts in a 60-seconds window. The ban time was also reduced from 1 hour to 15 minutes.
Current Status
Token lifetime limits have been implemented on GitLab.com. If you are experiencing increased authentication errors accessing GitLab.com, please see this blog post for details on how to mitigate problems with authentication.
More information will be added as we investigate the issue. For customers believed to be affected by this incident, please subscribe to this issue or monitor our status page for further updates.
📚 References and helpful links
Recent Events (available internally only):
- Feature Flag Log - Chatops to toggle Feature Flags Documentation
- Infrastructure Configurations
- GCP Events (e.g. host failure)
Deployment Guidance
- Deployments Log | Gitlab.com Latest Updates
- Reach out to Release Managers for S1/S2 incidents to discuss Rollbacks, Hot Patching or speeding up deployments. | Rollback Runbook | Hot Patch Runbook
Use the following links to create related issues to this incident if additional work needs to be completed after it is resolved:
- Corrective action ❙ Infradev
- Incident Review ❙ Infra investigation followup
- Confidential Support contact ❙ QA investigation
Note: In some cases we need to redact information from public view. We only do this in a limited number of documented cases. This might include the summary, timeline or any other bits of information, laid out in our handbook page. Any of this confidential data will be in a linked issue, only visible internally. By default, all information we can share, will be public, in accordance to our transparency value.
Security Note: If anything abnormal is found during the course of your investigation, please do not hesitate to contact security.