API Token permission issue

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Hi, I have been having trouble with the scopes set on a given API token. Please consider this python code:

    headers = {"PRIVATE-TOKEN": gitlab_token}

    commit_payload = {
        "branch": "main",
        "commit_message": f"Update agent_version_id.autovars.tf to version {AGENT_VERSION_ID}",
        "actions": [
            {
                "action": "update",
                "file_path": TERRAFORM_FILE_PATH,
                "content": terraform_content
            }
        ]
    }

    response = requests.post(GITLAB_COMMIT_API_URL, headers=headers, json=commit_payload)

please consider this error:

2025-02-19T20:38:10 [ERROR]: Failed to commit update: 403 {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api read_api"}

First: The error states that I need the read_api scope while its already included in the token: read_api, read_user, read_repository, write_repository

Second: Am I supposed to need the "api" scope? api: Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry.

Why do I need to create a token that has root access to 100% of the service provider just to push a single? It doesn't seem to make sense, am I missing something?

Out of all the possible permission scopes:

api
Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry.

read_api
Grants read access to the API, including all groups and projects, the container registry, and the package registry.

read_user
Grants read-only access to your profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.

create_runner
Grants create access to the runners.

manage_runner
Grants access to manage the runners.

k8s_proxy
Grants permission to perform Kubernetes API calls using the agent for Kubernetes.

self_rotate
Grants permission for token to rotate itself.

read_repository
Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API.

write_repository
Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API).

read_registry
Grants read-only access to container registry images on private projects.

write_registry
Grants write access to container registry images on private projects. You need both read and write access to push images.

read_virtual_registry
Read Virtual Registry

write_virtual_registry
Write Virtual Registry

ai_features
Grants access to GitLab Duo related API endpoints.

No matter which read/write combination I choose, I can never write to anything except with the api scope which is obviously not favourable. Please advise