[go: up one dir, main page]
Skip to content

Rotate a personal access token for a service account API does not provide an option to specify an expiry date

Summary

When a personal access token for a service account is created, an optional parameter of expires_at can be used to set the token expiry date.

It is possible to rotate a personal access token for a service account user using the API. However for this API there is no option to specify a new expiry date so the default of 7 days from the date the rotate call is made is set on the newly rotated token.

This is not in line with the behaviour offered in the Rotate a personal access token API for user PATs.

Steps to reproduce

  1. create the service account token:
curl --request POST --header "PRIVATE-TOKEN: glpat-xxx" "https://gitlab.example.com/api/v4/groups/123/service_accounts/456/personal_access_tokens" --data "scopes[]=read_user" --data "name=service_accounts_token" --data "expires_at=2024-11-21"

response:

{"id":1234,"name":"service_accounts_token","revoked":false,"created_at":"2024-11-20T11:29:02.353Z","scopes":["read_user"],"user_id":456,"last_used_at":null,"active":true,"expires_at":"2024-11-21","token":"glpat-yyy"}%
  1. use the rotate API call:
curl --request POST --header "PRIVATE-TOKEN: glpat-xxx" "https://gitlab.example.com/api/v4/groups/123/service_accounts/456/personal_access_tokens/1234/rotate"

response:

{"id":1235,"name":"service_accounts_token","revoked":false,"created_at":"2024-11-20T11:32:02.923Z","scopes":["read_user"],"user_id":456,"last_used_at":null,"active":true,"expires_at":"2024-11-27","token":"glpat-zzz"}%

Example Project

What is the current bug behavior?

There is no parity between the rotate API calls for users and service account PATs

What is the expected correct behavior?

Allow the use of expires_at in the rotate API for Service accounts similar to the rotate for user account PATs.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes