Backport token logging improvements to display token identifiers

Issue link

https://gitlab.com/gitlab-org/gitlab/-/issues/462157+

Does this request relate to a bug or to a feature?

This is a request to backport logging improvements to identify expired tokens being used in API calls for SM users who would see a 1 year expiration set to tokens that are currently without one as part of the deprecation. The backport request is for GitLab version 16.5 to 17.1. See https://gitlab.com/gitlab-org/gitlab/-/issues/462157#note_1977851237 for leadership approval on the additional backport.

MR(s)

The same changes are already deployed to GitLab.com, and those MRs can be found in the Related Merge Requests table.

MRs	Does this cleanly apply to the desired branch?	Is the MR ready for merge?	Test Platform has verified results?	Notes
(Master) gitlab-org/gitlab!157277 (merged)	✅	N/A	N/A	original addition for reference
(17.1) gitlab-org/gitlab!158509 (merged)	✅	✅	✅
(17.0) gitlab-org/gitlab!158511 (merged)	✅	✅	✅
(16.11) gitlab-org/gitlab!158515 (merged)	✅	✅	✅
(16.10) gitlab-org/gitlab!158516 (merged)	✅	✅	✅
(16.9) gitlab-org/gitlab!158517 (merged)	✅	✅	✅
(16.8) gitlab-org/gitlab!158518 (merged)	✅	✅	✅
(16.7) gitlab-org/gitlab!158519 (merged)	✅	✅	✅
(16.6) gitlab-org/gitlab!158525 (merged)	✅	✅	✅
(16.5) gitlab-org/gitlab!158526 (merged)	✅	✅	✅

Backport Versions

⚠ Product Manager Approval needs to be provided in the table below for each version. Without Product Manager Approval, the Backport Request will not be taken into consideration by Release Managers ⚠

Version	Approval from Product (to confirm the bug justifies the upgrade cost)	Approval by Release Manager
17.1	✅	✅
17.0	✅	✅
16.11	✅	✅
16.10	✅	✅
16.9	✅	✅
16.8	✅	✅
16.7	✅	✅
16.6	✅	✅
16.5	✅	✅

Does this bug potentially result in data loss?

This change will not result in dataloss and is a logging change only.

Customer impact

On GitLab.com, we discovered that a large number of our customers were not prepared for the tokens to be expired. The change adds logging of token identifiers to make it easier to identify and rotate tokens that may be used after their expiration.

Product DRI - @hsutor *

Workaround

There isn't an easy workaround for admins to view whether a certain token being used is expired and they will need to manually query all tokens (or have access to a Premium+ feature of credentials inventory). On GitLab.com there isn't a workaround.

@gitlab-org/release/managers please assign yourselves to this issue.

Edited Jul 22, 2024 by Dat Tang