Getting an access token via ssh

naufraghi · October 28, 2020, 8:50am

Hi all,

we are using GitLab in a multi project/package environment, given we started this long before the package registry existence, we are using a git based package manager quark.

Some projects are hard/long to build and so we created some _output companion repositories to store the build artifacts to be retrieved via quark (ssh+git).

This solution has an interesting side effect: we can use the same exact authentication mechanism (personal or deploy ssh keys) both locally and on the CI.

Let’s say we’d like to move towards using more the projects artifacts/registries, what is the suggested way to allow the same experience both locally and inside the CI?

We lived happily till now setting up an SSH key, so the option of manually create an access token, store it and manage it locally on multiple machines is a clear loss in UX (https://direnv.net/ exists and is a idea).

can we automate the token creation to create a seamless experience? cli, remote ssh friendly automation
may be possible to use ssh to (feature requests):
a) retrieve the artifacts from some sort of on-the-fly fake repo?
b) retrieve a temporary personal token that will work very like the $CI_JOB_TOKEN?

The b) option may allow a better experience using the gitlab-runner exec feature.

naufraghi · October 28, 2020, 3:34pm

I discovered that in the gitlab-shell project, the custom shell that responds to git, we already have a GetPersonalAccessToken function, do someone know if it is possible to reach that function using git or ssh?

naufraghi · October 28, 2020, 4:15pm

Found! The feature seems to be already there:

$ ssh git@gitlab.foo.com personal_access_token
remote: 
remote: ========================================================================
remote: 
remote: Usage: personal_access_token <name> <scope1[,scope2,...]> [ttl_days]
remote: 
remote: ========================================================================
remote: 
$ ssh git@gitlab.foo.com personal_access_token cli-friendly-token read_repository,read_api 10
Token:   7...ixvzoW...szp
Scopes:  read_repository,read_api
Expires: 2020-11-08

This is not exactly what I was searching for, but now a script can retrieve a token and manage the correct header depending on the context using PRIVATE-TOKEN vs JOB-TOKEN.

mikedoy · May 17, 2022, 2:17pm

How did you find this solution? Is there a list of available commands that can be run through ssh?
In particular is there a revoke?

hockdudu · June 5, 2024, 1:44pm

You can see a list of commands here: GitLab Shell feature list | GitLab

Topic		Replies	Views
How to git clone private repositories without SSH using the runner or private token? How to Use GitLab	1	16227	November 17, 2017
How can I create a Personal Access Tokens by API How to Use GitLab	4	6661	December 2, 2017
API token in CI job How to Use GitLab	3	2934	September 29, 2017
How to use personal github access token with gitlab runner GitLab CI/CD	0	2400	December 18, 2018
Capability to NPM install private gitlab repo How to Use GitLab	0	6448	December 5, 2016

Getting an access token via ssh

Related topics