not working vault put gitlab/config/rotate

[venerari]

Hi Ilijamt,

How do you make the autorotate to true? Did this "vault read gitlab/config" and it say autorotate is false. Also when I run "vault put gitlab/config/rotate" didn't work.

Thanks, RIc

[ilijamt]

As part of the setup.

https://github.com/ilijamt/vault-plugin-secrets-gitlab?tab=readme-ov-file#config

You need to make sure you set up auto_rotate_token to true, this will make the token autorotate. But this only happens when token expiry is less than auto_rotate_before (defaults to 24h). In this case, Vault manages to autorotate the main token.

Are you getting an error when you try to hit that endpoint? This should work, actually. Maybe it's not a bad idea to change it to a different operation and not a read. I see the readme has a put it should be a read, that is wrong.

vault read gitlab/config/rotate

Can you try the read?

[ilijamt]

The operation will remain as read as, using a different operation requires input.

[venerari]

Here you go,

/ $ vault write gitlab/config base_url=https://gitlab.com token=glpat-XXXXXXXXX auto_rotate_token=true revoke_auto_rotated_token=f
alse auto_rotate_before=48h
Key                   Value
---                   -----
auto_rotate_before    48h0m0s
auto_rotate_token     true
base_url              https://gitlab.com
token                 glpat-xxxxxxxxxxxxxxxx
token_expires_at      n/a
/ $ 
/ $ 
/ $ vault read gitlab/config
Key                   Value
---                   -----
auto_rotate_before    48h0m0s
auto_rotate_token     true
base_url              https://gitlab.com
token                 glpat-xxxxxxxxxxxxxxx
token_expires_at      n/a
/ $ 

So this would autorotate my token glpab-XXXXXXXXXXXXXXXXXXX, so if I refer this as gitlab secret token, it should autorotate?

Thanks and more power!

[ilijamt]

Yes it should autorotate that token, if you update to the newer version it should show you more information as well. Like expiry date and stuff like that.

The new version of the plugin will rotate the token immediately, irrespectively of how long the old token has until it expires.

[ilijamt]

I've only tested this plugin on self-hosted instances of GitLab, don't know if this works in gitlab.com

[venerari]

I'll let you know later when it worked in gitlab.com. Is this secret autoroate will both work in Gitlab Secret Token and VSO, or as long as it is stored in the kv-v2 secret right?

[TJM]

@venerari - beware you posted a token in the output of your command yesterday, make sure you deactivate that token :)

[ilijamt]

The token was valid, I ran curl -X DELETE -H "PRIVATE-TOKEN: glpat-zT-mxwafsCy3wEQNrTN5" https://gitlab.com/api/v4/personal_access_tokens/self to deactivate the token.

Please be careful in the future not to post sensitive information in the public domain.

[venerari]

It didn't rotate,

/ $ vault read gitlab/config Key Value

---

auto_rotate_before 25h0m0s auto_rotate_token true base_url https://gitlab.com token glpat-nnnnnnnnnnnnnnnnnnnnnnnn token_expires_at 2024-05-04T00:00:00Z

Token still the same, I guess I need to test on on-prem.

Here's the command I issue yesterday,

vault write gitlab/config base_url=https://gitlab.com/ token=glpat-nnnnnnnnnnnnnnnnnnnn auto_rotate_token=true revoke_auto_rotated_token=false auto_rotate_b efore=25h0m0s Key Value

---

auto_rotate_before 25h0m0s auto_rotate_token true base_url https://gitlab.com/ token glpat-nnnnnnnnnnnnnnnnnnnnnnn token_expires_at n/a

[venerari]

Does super-token only works?

[ilijamt]

Like I said, I've never tested this on Gitlab.com, but on a Self-Hosted one you need admin privleges otherwise you cannot create tokens for Service Accounts or other users for example. Don't know if Group or Project tokens would work with Gitlab though, because you wouldn't need admin privileges for that I think.

[venerari]

Ok, I'll test it on my local one which is a free gitlab, later, thanks!

[venerari]

I'm testing on work gitlab now, does this need to be supertoken?

vault write gitlab/config base_url=https://gitlab.example.com token=gitlab-super-secret-token auto_rotate_token=false revoke_auto_rotated_token=false auto_rotate_before=48h

[venerari]

You have ur changes on this

/ $ vault read gitlab/config Key Value

---

auto_rotate_before 25h0m0s auto_rotate_token true base_url https://gitlab.example:6443/ revoke_auto_rotated_token false token_expires_at n/a token_id 0 token_sha1_hash 6729f84071xxxxxxxxxxxxxxxxxa94b89b65c

How do I know this rotated?

[venerari]

does this work with free version of vault?

[ilijamt]

Yes, this is all tested with the free version of Vault. You can compare the SHA value to see if the token has been rotated, but the token will not be rotated until the token has less than auto_rotate_before before it expires.

[TJM]

@ilijamt hate to sidetrack this one, but my vault read gitlab/config/rotate is not working either.

I just get a 403 error.

Steps

• Create a service account (POST to /service_accounts), get ID from output
• Create a PAT for service account (POST to /users/UID/personal_access_tokens), get token from oputput
• Configure vault-plugin-secrets-gitlab

[tmcneely@local ~]$ vault write gitlab/config base_url=https://gitlab.company.com auto_rotate_token=true token=$GITLAB_TOKEN
WARNING! The following warnings were returned from Vault:

  * auto_rotate_token not specified setting to 24h0m0s

Key                          Value
---                          -----
auto_rotate_before           24h0m0s
auto_rotate_token            true
base_url                     https://gitlab.company.com
revoke_auto_rotated_token    false
token_expires_at             n/a
token_id                     0
token_sha1_hash              c672ba89be33be1bfe5f319f9e855d06b672cbe5

• Then, when I try to rotate:

[tmcneely@local ~]$ vault read gitlab/config/rotate
Error reading gitlab/config/rotate: Error making API request.

URL: GET https://vault.company.com/v1/gitlab/config/rotate
Code: 500. Errors:

* 1 error occurred:
    * POST https://gitlab.company.com/api/v4/users/55/personal_access_tokens: 403 {message: 403 Forbidden}

~Maybe one PAT can't create another PAT?~ This is an admin-only endpoint, If it is trying to create its own access token, it should be using /user/personal_access_tokens. However, there is a rotation API endpoint, which might be even better: (POST /personal_access_tokens/:id/rotate) https://docs.gitlab.com/ee/api/personal_access_tokens.html#use-a-personal-access-token-id

On a side note: For what it's worth, other module's config/rotate endpoints usually use vault write -f MOUNT/config/rotate to get around the required input, and make the rotation operation seem more impactful (write vs read). It is completely arbitrary, I suppose, but adding a POST/PUT method seems like a good choice to me. :)

[ilijamt]

The reason it's using the admin endpoint is so it can check if the new token works before revoking the old one. And also because you have the option not to revoke the old one. And if I use the rotate endpoint then the old one is revoked. If I use remove the auto remove the token then I can modify it to use the rotate endpoint.

So to be able to rotate and create new PAT, the token needs administrator privileges.

[ilijamt]

On a side note: For what it's worth, other module's config/rotate endpoints usually use vault write -f MOUNT/config/rotate to get around the required input, and make the rotation operation seem more impactful (write vs read). It is completely arbitrary, I suppose, but adding a POST/PUT method seems like a good choice to me. :)

I've been thinking of changing it just haven't gotten around to it yet as this is also functional.

[TJM]

I need the ability to use this tool without using admin tokens. So, maybe I should create a feature req (or MR) to use the rotation API, or just the user level create access token for rotation? I have no intention of allowing this to create PAT's for other users... just group/project access tokens, from within a certain group (multi-tenant situation).

[ilijamt]

97