Getting an access token via ssh

Hi all,

we are using GitLab in a multi project/package environment, given we started this long before the package registry existence, we are using a git based package manager quark.

Some projects are hard/long to build and so we created some _output companion repositories to store the build artifacts to be retrieved via quark (ssh+git).

This solution has an interesting side effect: we can use the same exact authentication mechanism (personal or deploy ssh keys) both locally and on the CI.

Let’s say we’d like to move towards using more the projects artifacts/registries, what is the suggested way to allow the same experience both locally and inside the CI?

We lived happily till now setting up an SSH key, so the option of manually create an access token, store it and manage it locally on multiple machines is a clear loss in UX (https://direnv.net/ exists and is a :genie: idea).

  1. can we automate the token creation to create a seamless experience? cli, remote ssh friendly automation
  2. may be possible to use ssh to (feature requests):
    a) retrieve the artifacts from some sort of on-the-fly fake repo?
    b) retrieve a temporary personal token that will work very like the $CI_JOB_TOKEN?

The b) option may allow a better experience using the gitlab-runner exec feature.

I discovered that in the gitlab-shell project, the custom shell that responds to git, we already have a GetPersonalAccessToken function, do someone know if it is possible to reach that function using git or ssh?

Found! The feature seems to be already there:

$ ssh git@gitlab.foo.com personal_access_token
remote: 
remote: ========================================================================
remote: 
remote: Usage: personal_access_token <name> <scope1[,scope2,...]> [ttl_days]
remote: 
remote: ========================================================================
remote: 
$ ssh git@gitlab.foo.com personal_access_token cli-friendly-token read_repository,read_api 10
Token:   7...ixvzoW...szp
Scopes:  read_repository,read_api
Expires: 2020-11-08

This is not exactly what I was searching for, but now a script can retrieve a token and manage the correct header depending on the context using PRIVATE-TOKEN vs JOB-TOKEN.