►
From YouTube: Personal Access Token Generator
Description
Have you ever wanted more access to the GitLab API within a GitLab CI Job but not rely on a single person's Personal Access Token?
That's the aim of this preview. It also highlights the power of the CI Job's JSON Web Token and how it can be leveraged to grant CI Jobs access to external resources in a trustworthy way.
https://gitlab.com/poffey21/private-access-token-generator
A
Hi
everyone,
my
name
is
tim
poffenberger,
and
I
wanted
to
showcase
how
you
can
use
the
json
web
token,
that
comes
with
every
ci
job,
to
really
offer
some
flexibility
into
trusting
ci
jobs
and
then
granting
access
to
external
resources
for
ci
jobs.
This
particular
use
case
is,
I
have
these
independent
ci
jobs,
and
I
want
to
give
developers
api
access,
full
unfettered
api
access
to
the
gitlab
api
without
having
to
rely
on
the
ci
job
token,
nor
rely
on
a
single
user
personal
access
token
that
would
typically
be
stored
in
the
ci
variables
settings.
A
What's
what
this
looks
like
is
the
so
you
can
see
that
this
is
one
of
the
api
endpoints
of
many
that
is
not
accessible
via
the
the
ci
job
token,
but
utilizing
this
external
service
and
passing
the
the
job
jwt
environment
variable
which
is
storing
a
json
web
token,
which
is
a
a
trusted
source
for
letting
an
external
service
know
who
the
user
is,
what
job
they're
coming
from,
what
project
they're
coming
from.
A
So
this
jwt
is
being
passed
to
this
external
service,
the
external
services
investigating
that
jwt
and
then
based
on
the
user.
That
pushed
this
play
button
they're
going
to
provide
a
an
impersonation
token
of
that
person
that
played
the
job,
and
you
can
see
utilizing
this
private
token
to
this
api
endpoint.
You
can
see
that
this
is
me.
A
Unfortunately,
this
isn't
all
that
useful,
because
you
can
see
that,
like
the
the
personal
access
token
that's
generating
this
impersonation
token
is,
is
me
literally
and
I
have
admin
access
so
so,
let's
go
ahead
and
switch
over
to
a
different
user
and
click
retry.
Real
quick
and
one
of
the
things
that
you
know
immediately
comes
to
mind
is
like
well
what's
preventing
someone
from
you
know,
playing
this
job
and
then
exporting
this
pipeline,
or
this
job
token
out
to
an
external
user
in
or
external
service
for
use.
A
So
you
can
see
that
this,
this
personal
access
token
got
generated
for
this
tim
hoffenberger
developer
user
and
that
when
it
made
this
curl
call
it
came
back
and
you
can
see
that
it
is
indeed
the
tim
poffenburger
developer
user
and
the
job
completed.
So
if
we
refresh
this,
we
can
actually
see
that
that
impersonation
token
was
immediately
revoked.