search

ilijamt / vault-plugin-secrets-gitlab

Vault Plugin for Gitlab Access Tokens
MIT License
46 stars 7 forks source link

Cater for gitlab.com service accounts #102

Closed GavinCS closed 1 month ago

GavinCS commented 4 months ago

Currently service accounts are being treated as users as per self hosted. However this does not allow for managing service account tokens on gitlab.com where the path is /groups/:id/service_accounts/:user_id/personal_access_tokens/

This results in 403's 

"POST https://gitlab.com/api/v4/users/:id/personal_access_tokens: 403 {message: 403 Forbidden}"

Would it be possible to add a new token type for service accounts?

GavinCS commented 4 months ago

Also noted that I can't use a service account token without an expiry date, which is allowed by gitlab

2024-07-19T17:35:36.511+0100 [DEBUG] secrets.gitlab.gitlab_3d07d388.gitlab.vault-plugin-secrets-gitlab: Current token info: error=<nil> token="map[access_level: created_at:2024-07-19T16:33:24.213Z expires_at:<nil> gitlab_revokes_token:false name:GITLAB AUTO ROTATE TOKEN parent_id: path: role_name: scopes:[api] token: token_id:+07 token_type:personal user_id:+07]" timestamp="2024-07-19T17:35:36.510+0100"
2024-07-19T17:35:36.513+0100 [DEBUG] secrets.gitlab.gitlab_3d07d388.gitlab.vault-plugin-secrets-gitlab: panic: runtime error: invalid memory address or nil pointer dereference
ilijamt commented 4 months ago

I'll have to take a look. Currently, have limited time due to the summer holidays.

GavinCS commented 4 months ago

@ilijamt thank you. I am currently working on a POC fix for non entry token. Are you happy for me to submit an MR?

GavinCS commented 3 months ago

https://github.com/ilijamt/vault-plugin-secrets-gitlab/pull/105

ilijamt commented 3 months ago

Hey @GavinCS should look at this in the next couple of weeks.

GavinCS commented 3 months ago

Thanks @ilijamt I am using the forked version for now. We have had it running in our staging environment now for a week or so, will be able to confirm stability with hosted gitlab soon

ilijamt commented 2 months ago

110

ilijamt commented 1 month ago

@GavinCS sorry for the delay. Can you try #110 and let me know how it works for you? You can now specify the type of service account you use. If you want it to be a group or a user service account. Should make it more clear.

I've also added type to config so we can specify the type of Gitlab we run.

Let me know if you run into some problems?

ilijamt commented 1 month ago

It's merged into main.

ilijamt commented 1 month ago

Released under v0.5.0

ilijamt commented 1 month ago

Please reopen or create a new issues for any new found bugs or not working functionality.

ilijamt commented 1 month ago

@GavinCS did you have some time to try it out? Everything worked out?