Our API allows a group access token to be rotated, which will generate a new token with an expiration of one week. A customer would like for this rotation period to be customized and allow for an option to have the rotated token expire either in 90 days or a custom defined period.
Hannah Sutorchanged title from Allow custom time period for group access tokens rotated via API to Allow custom time period for access tokens rotated via API
changed title from Allow custom time period for group access tokens rotated via API to Allow custom time period for access tokens rotated via API
Just adding my 2c here: the GitLab Dedicated team, and more widely, the GitLab Infrastructure team as a whole, would like to automate token rotation of Project and Group Access tokens, and of Service Account Tokens as we adopt Service Accounts, but with a fixed one week expiry date on the tokens, and without being able to configure the expiry dates, this is currently a non-starter for us.
Very much looking forward to this feature being delivered so that we can further automate token rotation.
A Mid-Market SaaS Customer wanted to share their thoughts in this ticket that they have very similar interests to what Andrew stated, and is looking forward to seeing this implemented as well.
Many of our teams utilize Group Access Tokens in combination with GPG keys. Under the current token expiration policy, we find ourselves having to regenerate Group Access Tokens annually. This process involves a bit amount of effort and time, particularly in associating the new tokens with the corresponding GPG keys. Introducing a feature for Group Access Token Rotation would significantly streamline these workflows, ultimately making life easier for everyone. Consequently, we kindly request that the new tokens generated from API be configured to have a one-year duration as well.
Problem they are trying to solve:
GitLab group access tokens have the potential to be exposed by GitLab runners. Consequently, we have a requirement to rotate all group access tokens. As I mentioned above, asking every team to re-create the group access tokens and associate them with new GPG keys is not a easy task.
Current solution for this problem:
Recreate group access token and associate it with new GPG manually.
Impact to the customer of not having this:
Team productivities will be increased significantly.
Questions:
Can we have an ETA regarding when this new feature will be fully implemented and available for production use?
Can we have an ETA regarding when this new feature will be fully implemented and available for production use?
We plan to do it in %16.7 as of now, but it will depend on if it gets the Deliverable label as to whether it is committed to for the milestone. We will do that in about 1 week.
@adil.farrukh Thanks for pointing this out, I must have missed it. I re-opened the issue to get the bot to generate one, I will come back and close it out and author the release post.