rotating access tokens #3207
Unanswered
walterrowe
asked this question in
Q&A
rotating access tokens
#3207
Replies: 1 comment
-
|
I'm working on a simple tool that does this. You are correct that you only get to see the generated tokens once so my tool uses a config file which maps tokens to CI/CD variables. When a token is updated, the associated variable(s) are updated too. It will also create missing tokens and variables from the config. My plan is to use a pipeline to run the tool on merges to main. This way I can update the config with new tokens and variables and the pipeline will create them (configuration as code). I'll also have a scheduled pipeline that checks for tokens that need to be rotated and do so before they expire. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I had this idea for a utility that would search a list of projects, or all projects in a group, for access tokens and rotate them. The script would also look for CI variables that refer to the old token value and replace it with the new token value. It also would produce a nice report showing which tokens were referenced in what CI variables by what projects.
The challenge I face is that the object returned by
project.access_tokens.get()(see GitLab Project Access Tokens API) doesn't include the current token secret value (likely for security reasons?). When we rotate a token we get the new token value, but we never see the prior token value. This makes it impossible to do what I envisioned.Now that access tokens have mandatory expiration dates we are forced to rotate them periodically. It would be nice to have a utility that would aid in this tedious maintenance process.
Does anyone in the community, or the project developers, have a suggestion for working around this?
Beta Was this translation helpful? Give feedback.
All reactions