Handle access_token and service_account bypass from security policy
What does this MR do and why?
As a part of Service Account & Access Token Exceptions for M... (&18112 - closed), we want to allow designated service accounts and access tokens to bypass merge request approval policies when necessary, eliminating friction for legitimate automation while preserving security controls.
This MR adds the services to check the policies with bypass_settings and validates if the service accounts/access tokens are allowed to bypass the push controls enforced by security policy.
References
Screenshots or screen recordings
Access Tokens
Policies
Push with access tokens
| type | screenshot |
|---|---|
| Access token without push access |  |
| Access token with push access but not allowed to bypass |  |
| Access token with push access and allowed to bypass |  |
Push with service accounts
| type | screenshot |
|---|---|
| Service account with push access but not allowed to bypass |  |
| Service account with push access and allowed to bypass |  |
Audit Events
How to set up and validate locally
- Enable
security_policies_bypass_options_tokens_accountsFF - Create a top-level group
- Add group level protected branch from
Settings->Repository->Protected Branches-> AddmainwithDeveloperin allowed to push and merge - From
Settings->Access Tokens, Create 2 access tokens withapiscope andDeveloperrole and 1 access token withGuestrole andread apiscope nd note the access token and ID - From
Settings->Service Accounts, Create 2 service accounts for the group and create access tokens for the service account and note the access token - Create a project within the group with a README.md content
-
- Add the created service accounts to the project from
Manage->Members
- Add the created service accounts to the project from
- Create 2 MR approval policies with 1 of the 2 access tokens and service accounts in the bypass_settings
approval_policy:
- name: Policy bypass with access tokens
description: ''
enabled: true
policy_scope:
projects:
excluding: []
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- maintainer
- type: send_bot_message
enabled: true
approval_settings:
block_branch_modification: true
block_group_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: open
bypass_settings:
access_tokens:
- id: <ID of the access token>approval_policy:
- name: Policy bypass with service accounts
description: ''
enabled: true
policy_scope:
projects:
excluding: []
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- maintainer
- type: send_bot_message
enabled: true
approval_settings:
block_branch_modification: true
block_group_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: open
bypass_settings:
service_accounts:
- id: <ID of the service account user>- Use the 3 access tokens to commit to the
mainbranch of the project:
curl --request POST "http://gdk.test:3000/api/v4/projects/<PROJECT_ID>/repository/commits" \
--header "PRIVATE-TOKEN: <TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"branch": "main",
"commit_message": "Add TEST.md",
"actions": [
{
"action": "create",
"file_path": "TEST.md",
"content": "New content for TEST.md"
}
]
}'- Verify that only the access token configured in the policy is allowed to commit and push to the default branch.
- Verify from the same in audit logs:
Secure->Audit Events
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Sashi Kumar Kumaresan