Extends self rotate endpoint to all access token (PAT/PrAT/GrAT)
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do and why?
This MR is a rebase-and-retest update of !142995 (closed). I've copied the full description from the original MR below.
I've rebased this on recent master and fully tested. I agree that it does what it reports to do, so is ready for review. There are a couple very minor changes I want to do before merge:
-
Update documentation references to the release version to make sure they coincide with current reality. -
Rebase again on top of master.
What does this MR do?
- Adds a
self_rotatescope fort PAT/GrAT/PrAT which purpose is to allow a nonapiaccess token to rotate itself using the Access Token self rotate api - Extends the Access Token self rotate api (see !142664 (merged)) to PrAT and GrAT
Note: With this MR only access tokens with api or self_rotate scope will be able to rotate themselves
Why ?
In the current Gitlab version, if you want to programmatically rotate an PrAT or a GrAT you need a second access token (specifically an api scoped PAT) and the procedure will be neither simple nor secure:
- Rotation the PrAT/GrAT (see #426779 (closed)) requires to
- exec a 1st request to obtain the PrAT/GrAT
- extract the token id
- exec a 2nd request to rotate the PrAT/GrAT
- Rotation of the
apiPAT will also have to done periodically
So currently PrAT/GrAT are kind of useless in automation scenarios...
With the proposed MR, you just have to add a self_rotate scope to a PAT/GrAT/PrAT in order to enable it to rotate itself.
So automations scenarios will be simpler (just 1 request to self-rotate the token) and more secure (a 2nd api scoped PAT is not needed anymore).
Require !142664 (merged)
Related issues #426779 (closed) #430748 (closed) #434416 (closed)
Closes #426779 (closed) #430748 (closed)
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Personnal Access Token
| Before | After |
|---|---|
 |
 |
Group Access Token
| Before | After |
|---|---|
 |
 |
Project Access Token
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Create a PAT/GrAT/PrAT token with
apiorself_rotatescope - Run the following command
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self/rotate"MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.