Docs Update: Group Access Token with api scope cannot create another Group Access Token
Summary
On our self-hosted instance of GitLab (version 14.7.1), we created a group access token with Owner permissions to the group and api scope to use with an external script to grant temporary registry access tokens as needed. We encountered a 400 bad request. A personal access token with the same permissions and scope will successfully create the tokens.
We didn't find any restriction in the API documentation for using Group Access Tokens in this manner. It is reasonable to not allow bots to create bots, but it should be called out in the docs if this is the case. https://docs.gitlab.com/ee/api/group_access_tokens.html
If not intentionally restricted, it is not the expected behavior for group tokens to behave differently than other access tokens.
Steps to reproduce
curl --request POST --header "PRIVATE-TOKEN: <group access token>" \
--header "Content-Type:application/json" \
--data '{ "name":"test_token", "scopes":["read_registry"], "access_level": 20 }' \
"https://gitlab.example.com/api/v4/groups/161/access_tokens"
{"message":"400 Bad request - User does not have permission to create group access token"}%
curl --request POST --header "PRIVATE-TOKEN: <personal access token>" \
--header "Content-Type:application/json" \
--data '{ "name":"test_token", "scopes":["read_registry"], "access_level": 20 }' \
"https://gitlab.example.com/api/v4/groups/161/access_tokens"
{"id":91,"name":"test_token","revoked":false,"created_at":"2022-02-11T16:18:49.746Z","scopes":["read_registry"],"user_id":113,"last_used_at":null,"active":true,"expires_at":null,"access_level":20,"token":"<generated token>"}%
What is the current bug behavior?
400 Bad request No restriction to use this endpoint documented.
What is the expected correct behavior?
Either token should be generated or the limitation documented clearly.