Skip to content

Project Access Token self rotate API correct usage #3203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pportxyz opened this issue May 23, 2025 · 7 comments
Closed

Project Access Token self rotate API correct usage #3203

pportxyz opened this issue May 23, 2025 · 7 comments

Comments

@pportxyz
Copy link

Description of the problem, including code/CLI snippet

I'm trying to self-rotate a Project Access Token. I log in to Gitlab, get the project from namespace/project and get a list of all the project access tokens. Then I filter them by name (unique client name) and not revoked status. The token variable is populated as expected. Then I try to rotate it:

with gitlab.Gitlab(private_token=self.gitlab_token) as gl:
    project = gl.projects.get(REPO_URL)
    token = next(token for token in project.access_tokens.list() if token.name == self.laude_user and token.revoked == False)
    print(token)
    # OPTION 1:
    rotated_token = project.access_tokens.rotate(id=token.id)
    # OPTION 2:
    rotated_token = token.rotate()
    # OPTION 3:
    rotated_token = token.rotate(self_rotate=True)

This is the execution log (masked values with < >):

DEBUG: Starting new HTTPS connection (1): gitlab.com:443
DEBUG: https://gitlab.com:443 "GET /api/v4/projects/<project_url> HTTP/11" 200 None
DEBUG: https://gitlab.com:443 "GET /api/v4/projects/<project_id>/access_tokens HTTP/11" 200 None
<class 'gitlab.v4.objects.project_access_tokens.ProjectAccessToken'> => {'id': <token_id>, 'name': 'testing', 'revoked': False, 'created_at': '2025-05-23T10:50:44.926Z', 'description': '', 'scopes': ['api', 'read_api', 'create_runner', 'manage_runner', 'k8s_proxy', 'self_rotate', 'read_repository', 'write_repository', 'read_registry', 'write_registry', 'ai_features'], 'user_id': <user_id>, 'last_used_at': '2025-05-23T11:10:21.665Z', 'active': True, 'expires_at': '2025-05-30', 'access_level': 40, 'resource_type': 'project', 'resource_id': <resource_id>}
14494061
DEBUG: https://gitlab.com:443 "POST /api/v4/projects/<project_id>/access_tokens/<token_id>/rotate HTTP/11" 401 30
Error rotating token: 401: 401 Unauthorized

As you can see from the logs the token has full permissions and maintainer role to exclude a permissions issue.

From the gitlab api documentation, the URL has to have this form

https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens/self/rotate

where self is in place of the <token_id>.

In your documentation I could not find a way to self rotate a Project Access Token with itself and it would be very useful. I've tried token.rotate(self_rotate=True) like with Personal Access Tokens with no avail. It only adds a GET parameter to the petition but still uses <token_id> instead of self.

When I make an api call using curl I encounter the same behaviour with <token_id> but works as expected with the self keyword:

Image

Expected Behavior

The token is rotated with self keyword.

Actual Behavior

The python-gitlab library uses the rotate API call for a specific PAT with id: api/v4/projects/<project_id>/access_tokens/<token_id>/rotate no matter what code I use.

Specifications

  • python-gitlab version: 5.6.0
  • Gitlab server version (or gitlab.com): gitlab.com
@JohnVillalovos
Copy link
Member

This has been fixed in #3196

It should be in the next release which will happen in a few days.

@pportxyz
Copy link
Author

Oh, I checked the issues but not the PRs.

Thank you very much!

@JohnVillalovos
Copy link
Member

You're welcome. FYI: Releases happen on the 28th of each month. So in 5 days should be the next release.

@kingdonb
Copy link

kingdonb commented Jun 4, 2025
edited
Loading

Hi! I am looking to use the rotate API, we have upgraded to GitLab 18 and the python-gitlab rotate seems to have broken.

I see there's still a release due out with this fix. Does the issue affect all token rotation, or only self-rotation?

We are getting 401 unauthorized for jobs that previously rotated successfully - they use a group admin token, not a self-rotate privilege, but I see there hasn't been a python-gitlab release in some time, so I guess I might be suffering from a different form of the same issue.

Should I open a separate issue? (I would love to test the updated module from the main branch, this is a sandbox environment, but I am new at Python and not sure how!)

Edit: I think I have tested with the latest @ main branch:
python-gitlab @ git+https://github.com/python-gitlab/python-gitlab@f49d54e6efd8a9069d3424fa10336564b416fd05
and I am still getting 401 Unauthorized:

in renew_expiring_gitlab_tokens
    ).rotate()
      ^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gitlab/cli.py", line 60, in wrapped_f
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gitlab/exceptions.py", line 346, in wrapped_f
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gitlab/mixins.py", line 678, in rotate
    server_data = self.manager.rotate(token_id, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gitlab/cli.py", line 60, in wrapped_f
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gitlab/exceptions.py", line 346, in wrapped_f
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gitlab/mixins.py", line 644, in rotate
    server_data = self.gitlab.http_post(path, post_data=data, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gitlab/client.py", line 985, in http_post
    result = self.http_request(
             ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gitlab/client.py", line 764, in http_request
    raise gitlab.exceptions.GitlabAuthenticationError(
gitlab.exceptions.GitlabAuthenticationError: 401: 401 Unauthorized

Is this possibly related? The admin token I'm using has api/Maintainer level access to the group, definitely worked to fetch the group and project, list access tokens, etc. - the (project, read) token I'm renewing also does have self_rotate, but I'm not using it yet.

@JohnVillalovos
Copy link
Member

As a note the automatic release didn't run. But I have manually triggered it. And also re-enabled it to run on the automated schedule.

Please give it a try now with the latest release.

@kingdonb
Copy link

kingdonb commented Jun 4, 2025

Thanks for this issue, I was able to configure self-rotate with the new 6.0.0 and it appears to be working now

You did it! 🎉 🌮 🏆

@JohnVillalovos
Copy link
Member

Glad it works 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JohnVillalovos @kingdonb @pportxyz