Gitlab sync tokens with environment variables

Question

In Gitlab, I use all sorts of Project Access Tokens to access Gitlab resources within the pipeline. I create the tokens then create environment variables and put the generated token values there.

Say, TokenX goes to VarX but this is really cumbersome and error prone because:

• The virtual mapping between TokenX and VarX is completely defined outside of the Gitlab.
• Tokens get expired and I have to manually update them and affected environment variables (double work).

My question is: Is there any built-in ways to automate syncing the tokens with environment variables? and if not, what is the desired way to do that?

Answer 1

In the link you mentioned you have the Project access token expiry emails section which should help you with your problem by reminding you about Tokens that will expire soon.

Another thing that may help a little with reducing the double work, is to centralise the token(secret) management. Maybe you can save them on Project scope and then you will not need to update the tokens for each repo.

Alternatively(a bit of topic from your original request) you can try a centralised secret manager, like Vault. It will not completely remove the problem, but at least will help to organise all the tokens in one place.

Finally, IMHO the inconvenience you are experiencing is a feature. In context of access security we always have to compromise a little. In this case, by not having a fully automated way to renew Tokens you solve the problem of lost active tokens. Before Gitlab 16.0 you could have tokens without expiration date but the Gitlab folks decided that it's a no go.