Skip to content

A group access token cannot be used to rotate itself (api scope and owner role)

Summary

A group access token cannot be used to rotate itself (api scope and owner role)

I want to refresh a token with a scheduled job.

Steps to reproduce

  1. Define a group access token with: scope: ["api"] level "owner".

Generated token will be specified as {{token}} on following steps

  1. Use the generated token to retrieve itself metadata and fetch token_id
GET /api/v4/groups/{{group_id}}/access_tokens HTTP/1.1
Private-Token: {{token}}
Content-Type: application/json
Host: {{gitlab_host}}
  1. Call the api rotate token
POST /api/v4/groups/{{group_id}}/access_tokens/{{token_id}}/rotate HTTP/1.1
Private-Token: {{token}}
Content-Type: application/json
Host: {{gitlab_host}}

What is the current bug behavior?

POST http returns 401 Unauthorized

What is the expected correct behavior?

POST http returns 200 OK with the rotated token