We use GitLab enterprise within our company and it is integrated with Azure (https://docs.gitlab.com/integration/azure/).
In some of our pipelines, we want to generate an access token for some internal repository and it will be included in each image we build. Now instead of creating personal access token / project token and set it to an environment variable which is against the company's policy for secret management, we want to use a secured technical account to log into Azure, then use the Azure token to get access to GitLab APIs. The technical account will be granted access to GitLab enterprise within the company.
But from the above link, which mainly talks about integration on the server side, it's not clear how we can do this on the client side. In general, when the technical account is a service principle, we get AAD token with client credential flow as:
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token \
-d 'client_id=<client-id>' \
-d 'grant_type=client_credentials' \
-d 'client_secret=<client-secret>'
I want to see what we need to do to get a token to access our GitLab APIs - do we need a specific -d 'scope=xxx'
or -d 'resource=xxxx'
?
You can’t use an Azure AD token to call GitLab APIs directly unless GitLab is set up to trust Azure AD tokens (via OpenID Connect for backend access). Most GitLab-Azure integrations only support user login (frontend), not service-to-service API access using AAD tokens.
To achieve secure API access using Azure AD without personal or project access tokens, you have two main options,
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token \
-d 'client_id=<client-id>' \
-d 'scope=api://<gitlab-app-id>/.default' \
-d 'client_secret=<client-secret>' \
-d 'grant_type=client_credentials'
Exchange the AAD token at GitLab’s /oauth/token
endpoint (if GitLab supports token exchange):
curl -X POST https://gitlab.example.com/oauth/token \
-d grant_type=urn:ietf:params:oauth:grant-type:token-exchange \
-d subject_token=<AAD_access_token> \
-d subject_token_type=urn:ietf:params:oauth:token-type:access_token \
-d client_id=<gitlab-client-id> \
-d client_secret=<gitlab-client-secret>
Please refer this Doc to Configure Gitlab as an Oauth 2.0 Authentication identity provider.
GitLab OAuth App
in GitLab (Admin ➝ Applications)./token
endpoint (with client_credentials
or authorization_code
grant, depending on what's supported).GitLab API token
securely in a key vault or workload identity system (e.g., Azure Managed Identity with Key Vault-backed secrets).This approach will avoid personal/project tokens and keeps authentication programmatic and secure.