3

We've recently adopted the GitLab dependency proxy for our project on a self-hosted GitLab instance.

This works fine for normal users, but fails for pipelines created via the API using a project or group access token, regardless of access level.

We've tried with a project token that has API permission and a developer role as well as a group account with that permission and developer role.
We also tried to grant the tokens permission for read_registry, write_registry to no avail.

The outcome is always the same: Any pipeline triggered by a Token/Bot user runs into a wall where it says you're not authenticated to access the dependency proxy because no credentials were specified. If I restart the very same job as a human user from the UI everything works just fine.

How do I need to configure my access tokens so that their corresponding bot users can access the dependency proxy?

Mastacheata
  • 1,866
  • 2
  • 21
  • 32

1 Answers1

0

The issue is most likely about using wrong credentials.

According to the documentation, it won't work with project access token, or group access token – only personal access token & group deploy token besides username & password are supported.

Now let's say we want to use group deploy token. The docker-machine executor usually uses $CI_DEPENDENCY_PROXY_USER & $CI_DEPENDENCY_PROXY_PASSWORD (source) to authenticate to $CI_DEPENDENCY_PROXY_SERVER, as those variables are set up automatically.

Those credentials are the same as $CI_REGISTRY_USER & $CI_REGISTRY_PASSWORD (source) – the password in both cases is the job token. The job token has the same permissions as the user, and as mentioned above, group access token and project access token do not have access to the dependency proxy.

According to the deploy token documentation, you should authenticate to dependency proxy using the username (of the group deploy token) & token instead. To achieve that, I think the only option would be to embed deploy user & token inside $DOCKER_AUTH_CONFIG CI/CD variable.

I have not tried such scenario but I think it should work.

For docker-in-docker, you should be able to set DEPLOY_TOKEN_USERNAME & DEPLOY_TOKEN_TOKEN in CI/CD variables (using values from group deploy token) and then just login with those:

before_script:
  - echo $DEPLOY_TOKEN_TOKEN | docker login -u $DEPLOY_TOKEN_USERNAME --password-stdin $CI_DEPENDENCY_PROXY_SERVER
script:
  - docker pull $CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX/alpine
Marek Grzenkowicz
  • 17,024
  • 9
  • 81
  • 111
Valtteri R.
  • 1
  • 1