Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Solutions Architecture / 19 Aug 2020
GitLab / Solutions Architecture / 19 Aug 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Personal Access Token Generator

Description

Have you ever wanted more access to the GitLab API within a GitLab CI Job but not rely on a single person's Personal Access Token?

That's the aim of this preview. It also highlights the power of the CI Job's JSON Web Token and how it can be leveraged to grant CI Jobs access to external resources in a trustworthy way.

https://gitlab.com/poffey21/private-access-token-generator

A

Hi everyone, my name is tim poffenberger, and I wanted to showcase how you can use the json web token, that comes with every ci job, to really offer some flexibility into trusting ci jobs and then granting access to external resources for ci jobs. This particular use case is, I have these independent ci jobs, and I want to give developers api access, full unfettered api access to the gitlab api without having to rely on the ci job token, nor rely on a single user personal access token that would typically be stored in the ci variables settings.

A

That's only tied to a single user for that project, so this is useful if you want to update badges within gitlab or push code back to the repository download artifacts, and you don't have the the job token available or really any git lab api interaction and the gist of what this is going to do is this is a external service external to git, lab that the developer can call out to and say, hey I'm coming from this job, and this external service will generate an impersonation token, which is a personal access token back to the developer and store that as an environment variable that they can then use for subsequent calls to the gitlab api for the life of that job in reality.

A

What's what this looks like is uh the so um you can see that this is one of the api endpoints of many that is not accessible via the the ci job token, but utilizing this external service and passing the the job jwt environment variable which is storing a json web token, which is a a trusted source for letting an external service know who the user is, what job they're coming from, what project they're coming from.

A

So this jwt is being passed to this external service, the external services investigating that jwt and then based on the user. That pushed this play button they're going to provide a an impersonation token of that person that played the job, and you can see utilizing this private token to this api endpoint. You can see that this is me.

A

Unfortunately, this isn't all that useful, because you can see that, like the the personal access token that's generating this impersonation token is, is me literally and I have admin access so uh so, let's go ahead and switch over to a different user and click retry. Real quick and one of the things that you know immediately comes to mind is like well what's preventing someone from you know, playing this job and then exporting this pipeline, or this job token out to an external user in uh or external service for use.

A

So you can see that this, this personal access token got generated for this tim hoffenberger developer user and that when it made this curl call it came back and you can see that it is indeed the tim poffenburger developer user and the job completed. So if we refresh this, we can actually see that that impersonation token was immediately revoked.

A

So you don't have long-lived personal access, tokens they're very short-lived. They only live for a day and then they immediately get revoked thanks for your time.