I’d like to post an MR comment via GitLab’s REST API from a CI job using a CI-managed token (ideally CI_JOB_TOKEN
, but it doesn’t have the necessary permissions). I could use a project access token, but that’s not personalized. So I thought it might be possible to leverage CI_JOB_JWT_V2
to retrieve a GitLab OAuth2 token (because it has more permissions) that I can use to authenticate against GitLab’s REST API, similar to how it can be used to integrate with cloud services, since GitLab itself is an OpenID Connect identity provider. So I set up a simple proof of concept CI job inspired by this docs section:
test:
image: curlimages/curl:latest
id_tokens:
GITLAB_OAUTH_TOKEN:
aud: https://gitlab.com
script:
- echo "$GITLAB_OAUTH_TOKEN" | base64
# TODO: Make cURL request to GitLab's REST API
When I decode the base64-encoded string and check it in the JWT debugger, it’s simply the CI_JOB_JWT_V2
again, so this doesn’t work.
I’m probably misunderstanding something. Is it at all possible to exchange the CI_JOB_JWT_V2
token for an OAuth2 token? If so, how?