azure azure-active-directory gitlab-ci gitlab-api

How to access GitLab (Azure integrated) APIs using AAD

We use GitLab enterprise within our company and it is integrated with Azure (https://docs.gitlab.com/integration/azure/).

In some of our pipelines, we want to generate an access token for some internal repository and it will be included in each image we build. Now instead of creating personal access token / project token and set it to an environment variable which is against the company's policy for secret management, we want to use a secured technical account to log into Azure, then use the Azure token to get access to GitLab APIs. The technical account will be granted access to GitLab enterprise within the company.

But from the above link, which mainly talks about integration on the server side, it's not clear how we can do this on the client side. In general, when the technical account is a service principle, we get AAD token with client credential flow as:

curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token \
-d 'client_id=<client-id>' \
-d 'grant_type=client_credentials' \
-d 'client_secret=<client-secret>'

I want to see what we need to do to get a token to access our GitLab APIs - do we need a specific -d 'scope=xxx' or -d 'resource=xxxx'?

Solution

You can’t use an Azure AD token to call GitLab APIs directly unless GitLab is set up to trust Azure AD tokens (via OpenID Connect for backend access). Most GitLab-Azure integrations only support user login (frontend), not service-to-service API access using AAD tokens.

To achieve secure API access using Azure AD without personal or project access tokens, you have two main options,

Use GitLab OAuth (OIDC) with Azure AD and exchange token for GitLab access token Please refer this Msdoc to get AAD token using Client Credentials Flow:

curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token \
-d 'client_id=<client-id>' \
-d 'scope=api://<gitlab-app-id>/.default' \
-d 'client_secret=<client-secret>' \
-d 'grant_type=client_credentials'

Exchange the AAD token at GitLab’s /oauth/token endpoint (if GitLab supports token exchange):

curl -X POST https://gitlab.example.com/oauth/token \
-d grant_type=urn:ietf:params:oauth:grant-type:token-exchange \
-d subject_token=<AAD_access_token> \
-d subject_token_type=urn:ietf:params:oauth:token-type:access_token \
-d client_id=<gitlab-client-id> \
-d client_secret=<gitlab-client-secret>

You can also use a GitLab OAuth App + Azure Token Flow

Please refer this Doc to Configure Gitlab as an Oauth 2.0 Authentication identity provider.

Register a GitLab OAuth App in GitLab (Admin ➝ Applications).
Configure your Azure service principal or app to call GitLab’s OAuth /token endpoint (with client_credentials or authorization_code grant, depending on what's supported).
Store the resulting GitLab API token securely in a key vault or workload identity system (e.g., Azure Managed Identity with Key Vault-backed secrets).

This approach will avoid personal/project tokens and keeps authentication programmatic and secure.