Including' private project file using `$CI_JOB_TOKEN`

Question

What I got so far is, it is possible to Authenticate with Personal Access Token and include external CI script but a cleaner approach would be to get access using $CI_JOB_TOKEN since it is more secure and restricted. I am looking into if it can be done this way -

include 'https://gitlab-ci-token:${CI_JOB_TOKEN}@raw-file-url'

I have tried to curl in this format in a dummy script job, but it fails to fetch the file.

Apparently, an external script can be imported using file API and $CI_JOB_TOKEN (https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346/diffs), but I am looking into if include feature also support this. Any suggestion on how to achieve that is appreciated.

Answer 1

Unfortunately, CI_JOB_TOKEN is very limited in scope. As of today (GitLab 11.0), you can only do two things with it:

• Authenticate with the GitLab Container (Docker) Registry
• Authenticate to trigger a multi-project pipeline (EE only)

References:

• https://docs.gitlab.com/ce/ci/variables/
• https://docs.gitlab.com/ee/ci/variables/

So you cannot use CI_JOB_TOKEN to download a file from another repository, neither via the raw endpoint (/raw/<ref>/<path>) nor the API.

Unfortunately, deploy keys don't help either -- they are only for SSH.

The only workable solution I've come up with is to use a separate user:

• Create a new user with Reporter role.
• Create a personal access token (/profile/personal_access_tokens) for that user with api and read_repository rights.
• Add this token as a secret variable in the project CI/CD settings. Call it e.g. BUILD_USER_TOKEN.
• Use $BUILD_USER_TOKEN in your CI script to access the API or project files.

This is a huge hack, and I really hope to see GitLab make CI_JOB_TOKEN a first-class, read-only (?) token with rights to specified resources.

Answer 2

Still there is no support for the CI_JOB_TOKEN to have a useful API access. But they are working on it https://gitlab.com/groups/gitlab-org/-/epics/3559