stable URL: /l/credential-manager-docs
cki_tools.credential_manager
Manage CKI service account secrets across services
This page has an internal companion page which might contain additional information.
Manage credentials for service accounts and their meta data as stored in CKI secrets.
Metrics
Usage:
python -m cki_tools.credential_manager metrics
This will output the following Prometheus metrics related to the stored credentials:
| name | supported token_type |
description |
|---|---|---|
cki_token_expires_at |
bugzilla_token, gitlab_token |
ISO8601 expiry date |
GitLab
For various kinds of GitLab tokens, the tool supports
-
creation (
create)python -m cki_tools.credential_manager gitlab create --token TOKEN_SECRET_NAME -
meta data update (
update)python -m cki_tools.credential_manager gitlab update -
validation (
validate)python -m cki_tools.credential_manager gitlab validate
Project access tokens
See the API description for details.
| name | create | update | validate | description |
|---|---|---|---|---|
| (secret) | required | required | secret token | |
token_type |
required | required | required | gitlab_token |
gitlab_token_type |
required | required | required | project_token |
project_url |
required | required | required | Project URL |
scopes |
required | updated | Access scope | |
access_level |
required | updated | Access levels | |
token_name |
required | updated | Name of the token | |
token_id |
updated | updated | Project access token ID | |
created_at |
updated | updated | ISO8601 timestamp of creation | |
expires_at |
updated | updated | ISO8601 expiry date | |
revoked |
updated | updated | Whether the token is already revoked | |
active |
updated | updated | Whether the token is still active | |
user_id |
updated | updated | ID of associated user | |
user_name |
updated | updated | Name of associated user |
Group access tokens
See the API description for details.
| name | create | update | validate | description |
|---|---|---|---|---|
| (secret) | required | required | secret token | |
token_type |
required | required | required | gitlab_token |
gitlab_token_type |
required | required | required | group_token |
group_url |
required | required | required | Group URL |
scopes |
required | updated | Access scope | |
access_level |
required | updated | Access levels | |
token_name |
required | updated | Name of the token | |
token_id |
updated | updated | Group access token ID | |
created_at |
updated | updated | ISO8601 timestamp of creation | |
expires_at |
updated | updated | ISO8601 expiry date | |
revoked |
updated | updated | Whether the token is already revoked | |
active |
updated | updated | Whether the token is still active | |
user_id |
updated | updated | ID of associated user | |
user_name |
updated | updated | Name of associated user |
Personal access tokens
See the API description for details.
Token creation is not supported.
| name | update | validate | description |
|---|---|---|---|
| (secret) | required | required | secret token |
token_type |
required | required | gitlab_token |
gitlab_token_type |
required | required | personal_token |
instance_url |
required | required | GitLab instance URL |
scopes |
updated | Access scope | |
token_name |
updated | Name of the token | |
token_id |
updated | Access token ID | |
created_at |
updated | ISO8601 timestamp of creation | |
expires_at |
updated | ISO8601 expiry date | |
revoked |
updated | Whether the token is already revoked | |
active |
updated | Whether the token is still active | |
user_id |
updated | ID of associated user | |
user_name |
updated | Name of associated user |
Project deploy tokens
See the API description for details.
| name | create | update | validate | description |
|---|---|---|---|---|
| (secret) | secret token | |||
token_type |
required | required | required | gitlab_token |
gitlab_token_type |
required | required | required | project_deploy_token |
project_url |
required | required | required | Project URL |
scopes |
required | updated | Access scope | |
token_name |
required | updated | Name of the token | |
token_id |
updated | updated | required | Project deploy token ID |
created_at |
updated | ISO8601 timestamp of creation | ||
expires_at |
optional | updated | ISO8601 expiry date | |
revoked |
updated | updated | Whether the token is already revoked | |
expired |
updated | updated | Whether the token is already expired | |
user_name |
updated | updated | Associated user name |
Group deploy tokens
See the API description for details.
| name | create | update | validate | description |
|---|---|---|---|---|
| (secret) | secret token | |||
token_type |
required | required | required | gitlab_token |
gitlab_token_type |
required | required | required | group_deploy_token |
group_url |
required | required | required | Group URL |
scopes |
required | updated | Access scope | |
token_name |
required | updated | Name of the token | |
token_id |
updated | updated | required | Group deploy token ID |
created_at |
updated | ISO8601 timestamp of creation | ||
expires_at |
optional | updated | ISO8601 expiry date | |
revoked |
updated | updated | Whether the token is already revoked | |
expired |
updated | updated | Whether the token is already expired | |
user_name |
updated | updated | Associated user name |
Runner authentication tokens
See the API description for details.
Token creation is not supported.
| name | update | validate | description |
|---|---|---|---|
| (secret) | required | required | secret token |
token_type |
required | required | gitlab_token |
gitlab_token_type |
required | required | runner_authentication_token |
instance_url |
required | required | GitLab instance URL |
token_id |
updated | Group token ID | |
expires_at |
updated | ISO8601 expiry date (optional) |
Configuration via environment variables
| Name | Secret | Required | Description |
|---|---|---|---|
GITLAB_TOKENS |
no | yes | URL/environment variable pairs of GitLab instances and private tokens |
GITLAB_TOKEN |
yes | yes | GitLab private tokens as configured in GITLAB_TOKENS above |
CKI_LOGGING_LEVEL |
no | no | logging level for CKI modules, defaults to WARN; to get meaningful output on the command line, set to INFO |