Problem to solve
We are using pipeline jobs on Gitlab SaaS which access a container image which includes many scripts.
The project is at: company/devops/pipeline-tools and in CICD settings we enabled in Job token permissions “All groups and projects”.
If projects now execute the pipelines (e.g. from company/projects/project-1/service-1) this was working fine until last week. From this week on it is still working for normal user commits which have access to pipeline-tools-project, but it is no longer working for group-access token commits.
The group access tokens are not on company-level, but on sub-group-level of the customer-projects (e.g. company/projects/project-1).
What are you seeing, and how does that differ from what you expect to see?
The Job aborts because it can’t access the pipeline-tools image, but it should work, because I gave the Job Token Permission to access that project.
Steps to reproduce
- Create a Job which uses an Container Image of another project to which the group access token usually has no access to
- The Project which includes the Container Image must have “Job token permissions”: with Authorized groups and projects: “All groups and projects”
- Add this Job to the Pipeline of a Project to which the Group Access Token has access to
- Start a pipeline using the Group access token (e.g. by creating a commit)
Configuration
pipeline-tools-script:
image: "${CI_REGISTRY}/company/devops/pipelines/pipeline-tools:latest"
stage: script
script:
- python3 -u /pipeline-tools/script.py
Versions
Please select whether options apply, and add the version information.
- Self-managed
-
GitLab.comSaaS - Dedicated
- Self-hosted Runners