0

I am trying to connect gitlab api from code to download artifacts. To do so, i'm required to generate a private access token and send it with the request. I don't want to set a permanent token because it is not secure, so i tried to find some api to delete and generate new token when the old is expired, but i couldn't find anything. I also tried to use deploy-tokens but it has no permission to gitlab api.

Any suggestions?

Dana Koren
  • 33
  • 4

2 Answers2

0

It is not possible yet, but they have an issue opened to add it

you can follow the discussion here https://gitlab.com/gitlab-org/gitlab/-/issues/17176

Sergio Tanaka
  • 1,325
  • 1
  • 6
  • 18
  • This issue opened 3 years ago.. I don't think it will close any time soon.. – Dana Koren Aug 26 '20 at 15:54
  • I know, but the issue is still active, the last reply is from 1 month ago. Gitlab is a huge product and they are improving very fast but of course there are some things that we need to wait a little more to be done. – Sergio Tanaka Aug 26 '20 at 21:19
0

I don't want to set a permanent token because it is not secure

Since 13.3 gitlab version there is available Project access tokens, which let you opportunity to issue a token for a specific project and limit it's scope. So it's definitely better than using yourself private token

Project level access tokens allow access to a project without the need to provision a new GitLab user. Project access tokens can be generated by project Maintainers or Owners and be used to authenticate with the GitLab API. Project access tokens will be authorized as Maintainers. This new functionality will make programmatic access to GitLab easier and more secure.

Previous answer:

Probably it would be less insecure if create extra user with permissions only for desired repository (from which we want to download artifacts) and issue personal-token for this user. So even the token will be compromised the offender will be capable only to download artifacts.

ujlbu4
  • 1,058
  • 8
  • 8
  • Yeah, but unless i give that user api permissions it wont let me download artifacts. So that user would have full access to this repository api.. – Dana Koren Sep 03 '20 at 07:02
  • @DanaKoren how about [impersonation tokens](https://docs.gitlab.com/ee/api/README.html#impersonation-tokens) ? — you could set scope (only-api for example) on such tokens and [create](https://docs.gitlab.com/ee/api/users.html#create-an-impersonation-token)/[revoke](https://docs.gitlab.com/ee/api/users.html#revoke-an-impersonation-token) this tokens from api (but only with admin permissions) – ujlbu4 Sep 06 '20 at 01:15
  • @DanaKoren [Project access tokens](https://about.gitlab.com/releases/2020/08/22/gitlab-13-3-released/#project-access-tokens) available now , take a look – ujlbu4 Sep 09 '20 at 09:33