Skip to content

Add role check instructions for a project access token

David Dieulivol requested to merge ddieulivol-least_privilege_checks_for_tokens into main

Context

I was rotating https://gitlab.com/gitlab-org/quality/engineering-productivity/team/-/blob/main/runbooks/rotating-credentials.md#gitlab_project_review_app_cleanup_api_token, when I saw the following text:

Create a new GITLAB_PROJECT_REVIEW_APP_CLEANUP_API_TOKEN token with api scope, Maintainer role (TODO: check if required)

I wanted to check whether it was required, and then realized that we might want to have a systematic check for those.

Goal

I tried to have the following in the checks:

  1. Generic: we will want to do such a check for all tokens
  2. Recurrent: This check should be done regularly, so I thought it might be a good idea to add it as part of the rotation instructions

Expand to all tokens

If we like the approach, it might be a good idea to add some instructions to all tokens.

I already made a separate section that we can crosslink to avoid duplication.

Edited by David Dieulivol

Merge request reports