Gitlab CI/CD How to use PAT - gitlab-ci

I am currently trying to build my first pipeline. The goal is to download the git repo to a server. In doing so, I ran into the problem that I have 2FA enabled on my account. When I run the pipeline I get the following error message:
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password.
Pipeline:
download_repo:
script:
echo "Hallo"
As far as I understand I have to use a PAT because I have 2FA enabled. But unfortunately I have not found any info on how to use the PAT.

To access one of your GitLab repository from your pipeline, you should create a deploy token (as described in token overview).
As noted here:
You get Deploy token username and password when you create deploy token on the repository you want to clone.
You can also use Job token. Job token inherits permissions of the user triggering the pipeline.
If your users have access to the repository you need to clone you can use git clone https://gitlab-ci-token:${CI_JOB_TOKEN}#gitlab.example.com/<namespace>/<project>.
More details on Job token is here.
The OP Assassinee adds in the comments:
The problem was that the agent could not access the repository.
I added the following item in the agent configuration:
clone_url = "https://<USER>:<PAT>#gitlab.example.com"
This makes it possible for the agent to access the repository.

Related

Fastlane Match with Gitlab Secure Files - Can't use different private token for code signing repo in CI/CD

We've been having some issues getting Fastlane Match to work in Gitlab CI using access tokens from within an existing CI pipeline.
The setup:
Repo for storing the certs / profiles: set up during fastlane init. We'll call this the "Cert Repo".
Repo for our React Native project: uses fastlane to handle builds/uploading to App Center and Testflight. We'll call this the "Project Repo"
Setup of match via match init went fine. We did the setup via terminal on the build server.
In our Matchfile:
gitlab_project("PATH_TO_CERT_REPO_HERE")
storage_mode("gitlab_secure_files")
app_identifier(["APP_IDENTIFIER_HERE"])
username("APPLE_ACCOUNT_USERNAME_HERE")
keychain_password("KEYCHAIN_PW_HERE")
team_id("TEAM_ID_HERE")
We had to pass in some env vars to the command for our gitlab enterprise api url (as "CI_API_V4_URL" and the Cert Repo access token as "PRIVATE_TOKEN"
We ran match for all cert/profile types we needed and they all uploaded to the secure files section of the Cert Repo correctly.
The Problem:
Our branches in the Project Repo use Gitlab CI to run various scripts and call a fastlane lane that will do the versioning, certs/profiles, and then upload the build to App Center or Testflight.
When we run match in readonly mode in our lane this way, match is failing with a 401 error.
Looking into the source for match and secure files for storage, it seems if you have a PRIVATE_TOKEN env var set, match will give a warning that you have both JOB_TOKEN and PRIVATE_TOKEN set and it will use the JOB_TOKEN.
The JOB_TOKEN is provided via Gitlab CI itself.
My guess is the JOB_TOKEN for this pipeline is not a valid token to authenticate against the CERT_REPO, which match needs to download the certs/profiles.
How is this supposed to work if I can't pass in a token for match to use for the CERT_REPO?
If we were using normal git storage, you can pass in the git_basic_authorization argument and give the base64 encoded "username:acces_token" string, which I'm assuming would solve the problem.
But using gitlab_secure_files, you can only use tokens.
Before we go and redo everything to use git storage and not gitlab secure files, can someone explain what we're missing here?
How is match supposed to authenticate with the Cert Repo from within the Project Repo in CI if the token it has is for the Project Repo? Doesn't it need the token for the Cert Repo to authenticate?

How to use Github Personal Access Token in Jenkins

I can ask this question in many ways, like
How to configure Jenkins credentials with Github Personal Access Token
How to clone Github repo in Jenkins using Github Personal Access Token
So this is the problem
The alternate solution that I am aware of
SSH connection
username password configuration in Jenkins. However,
use of a password with the GitHub API is now deprecated.
But My question is how to setup Github connection with Jenkins using Personal Access Token
[UPDATE]
The new solution proposed by git is
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
Which says:
Beginning August 13, 2021, we will no longer accept account passwords
when authenticating Git operations and will require the use of
token-based authentication, such as a personal access token (for
developers) or an OAuth or GitHub App installation token (for
integrators) for all authenticated Git operations on GitHub.com. You
may also continue using SSH keys where you prefer.
What you need to do:
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/#what-you-need-to-do-today
Basically, change the add URL as
https://<access token>#github.com/<userName>/<repository>.git
Something like this
https://<access token>#github.com/dupinder/NgnixDockerizedDevEnv.git
and set the credentials to none.
Thanks to #Gil Stal
[OLD Technique]
After many discussion on multiple threads from Stackoverflow
I found one thread that is useful.
Refer to this answer:
https://stackoverflow.com/a/61104603/5108695
Basically
Personal access token can be used as a password, as far as Jenkins is concerned at least. I added new credentials to the credential manager.
Go to Jenkins
Go to credentials > System > Global credentials > Add credentials a page will open.
In Kind drop-down select Username and password.
In User put a non-existing username like jenkins-user or user.
Add Personal Access Token in the password field
Now start configuring your project.
source code management tab, select new configured credentials from Drop-down near credential Under Repository URL
So this is how we can configure or setup Authentication between Jenkins and Github using Personal Access Token
References:
Git Clone in Jenkins with Personal Access Token idles forever
Change jenkins pipeline to use github instead of gitlab
The accepted answer wont work anymore because of this: https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations.
You will need to:
Change the URL of the repo to: https://<access token>#github.com/<user-name>/<repo-name>.git (Replace every <...> with the real parameters)
Set the credentials to none.
As of August 2021 the answer posted by Dupinder Singh is accurate. The only thing I would add is that if you are part of a team, the url format appears to be a bit different. This is what worked for me:
https://<access token>#github.com/<team>/<repo>.git
for example
https://ghp_6dh3jdk394jsmbh299jjdg20fh87hd83ksk39#github.com/MyKuleTeam/KuleGuyCode.git
Note that if you use a personal access token you don't need to have any github credentials stored in jenkins.
As for credentials for Jenkins Github Plugin, please be aware only Personal access tokens are now accepted by this plugin.
To generate such a token, follow the Github docs (e.g. here). Don't save it, it can be regenerated in Github and updated in Jenkins if lost or when migrating to a different server.
To add the token do Jenkins credentials store, go to <JENKINS_URL:PORT>/credentials/store/system/domain/_/newCredentials and select Kind "Secret text" (not the default "Username and password"), then paste the token as Secret and choose some ID.
Testing: the credential should appear on the list of Credentials at <JENKINS_URL:PORT>/credentials/ and be selectable from the drop-down list at <JENKINS_URL:PORT>/configure/, where pressing the "Test connection" button should display "Credentials verified for user <GITHUB_USER>".
More info: see the Github plugin docs.
Caveats: Git Plugin has its long-standing issues, so if the newly created "Secret text" does not appear in your pipelines, try if this solution helps (with "the user who triggered the build" considered safer than "SYSTEM"):
client-and-managed-masters/why-credentials-are-not-listed-in-the-git-scm-section
There is (yet another) way to do this as of 2020/04 which is supposed to be superior to personal access tokens. The best part is that you can continue using a username/password-style credential, and the plugin will handle authenticating with GitHub in the background.
Benefits include:
Larger rate limits - The rate limit for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of how many repositories you have.
User-independent authentication - Each GitHub app has its own user-independent authentication. No more need for 'bot' users or figuring out who should be the owner of 2FA or OAuth tokens.
Improved security and tighter permissions - GitHub Apps offer much finer-grained permissions compared to a service user and its personal access tokens. This lets the Jenkins GitHub app require a much smaller set of privileges to run properly.
Access to GitHub Checks API - GitHub Apps can access the the GitHub Checks API to create check runs and check suites from Jenkins jobs and provide detailed feedback on commits as well as code annotation
Links:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/
https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc

Can I use git-tfs with extra header?

I need to automate the 'git-tfs pull' command in azure devops.
I have no problem executing this command with my user/pass from cmd window, but when it runs in Azure DevOps Build Agent it doesn't finish, sure it is an authentication problem.
Git-commands have the possibility to pass additional http-headers with the request. This is used by Azure DevOps build agent to pass OAuth token in an AUTHORIZATION: bearer-header when fetching the files.
Is it possible that git-tfs pull can pass the extra headers with the request?
Is it possible that git-tfs pull can pass the extra headers with the request?
No...
But... I haven't tried this and I'm guessing it won't work, since setting an OAuth credential tends to require a different object type in the TFVC Client Object Model, but this may do the trick:
git config --local tfs-remote.default.username .
git config --local tfs-remote.default.password $(SYSTEM.ACCESSTOKEN)
This will set the OAuth token in pipelines as the password to use for authentication. Make sure the pipeline has access to this special variable.
If the OAuth Token for the pipeline won't do the trick, you could try using a Personal Access Token instead.

Azure Artifacts Private npm Feed Authentication Failed

A few months ago I created a private npm feed in Azure Artifacts. Authentication with this feed worked fine.
Recently others have started using this feed and authentication is not working for them using the tokens they have generated from Azure Artifacts. When npm installing they get the following error
npm ERR! Unable to authenticate, your authentication token seems to be
invalid. npm ERR! To correct this please trying logging in again with:
npm ERR! npm login
In the npm debug log there is this error
verbose stack Error: Unable to authenticate, need: Bearer, Basic realm="{{redacted url}}", NTLM
It appears that the structure of the authentication token which we put in the global .npmrc file has changed in Azure Artifacts
From:
; Treat this auth token like a password. Do not share it with anyone, including Microsoft support. This token expires on or before 27/02/2020.
; begin auth token
//{{redacted URL}}/_packaging/{{redacted user name}}/npm/registry/:_authToken={{redacted token string}}
//{redacted URL}}/_packaging/{{redacted user name}}/npm/:_authToken={{redacted token string}}
; end auth token
To
; Treat this auth token like a password. Do not share it with anyone, including Microsoft support. This token expires on or before 14/04/2020.
; begin auth token
//{{redacted url}}/npm/registry/:username={{redacted username}}
//{{redacted url}}/npm/registry/:_password={{redacted password}}
//{{redacted url}}/npm/registry/:email=npm requires email to be set but doesn't use the value
//{{redacted url}}/_packaging/{{redacted username}}/npm/:username={{redacted user name}}
//{{redacted url}}/_packaging/{{redacted username}}/npm/:_password={{redacted password}}
//{{redacted url}}/_packaging/{{redacted username}}/npm/:email=npm requires email to be set but doesn't use the value
; end auth token
When the second token is used (or indeed any of the tokens I now generate from Azure Artifacts), we cannot npm install, we get the error shown above. If other people use the same token (in the old format) as I have, this works fine. But this token will expire soon.
I have tried providing an email address instead of the strings "npm requires email to be set but doesn't use the value" but this also did not work.
This may be unrelated but we recently upgraded from tfs version 16.131.28507.4 to Azure Devops Server version Dev17.M153.3.
Does anyone know why the authentication token format has changed? And/Or how I can make the new tokens work with my private feed?
npm version: 6.13.0
node version: 10.12.0
Azure Devops Server version: Dev17.M153.3
After further investigation and a conversation with Microsoft Azure support we determined what was causing the issue for us.
The new format of tokens which have been rolled out for Azure Artifacts no longer work if your instance of TFS (Azure Devops) is hosted on a machine which is running IIS Basic Authentication. This probably then only applies to people hosting their TFS instance themselves on premises.
The only workaround available is to modify this new token and put a TFS user’s username and base 64 encoded password into the token string after the registry/:username= and registry/:_password= strings in the two places that these appear. This is not ideal as you effectively have to store a password in almost plain text on your build server.
But it seems that is now your only choice if you do need IIS Basic Authentication enabled. Disabling this and using a different authentication scheme does fix the token authencation and you can avoid having to do the above.
I'm not sure if this causes your problem - on our azure devops instance, we recently had conditional access enabled, which can disable a lot of the PAT/token based authentication streams without a clear error message - e.g. if you are using the token outside of your normal machine/access route (we were passing a token to a build service that we couldn't use 2FA to authenticate from, and it just stopped working overnight)

Using airflow with BigQuery and cloud sdk gives error "User must be authenticated when user project is provided"

I am trying to run airflow locally. My DAG has a BigQueryOperator and I want to use the cloud sdk for authentication. I run "gcloud auth application-default login" in order to get the json file with the credentials. I try to test my Dag running the command:
airflow test testdag make_tmp_table 2019-02-13 I get the error message "User must be authenticated when user project is provided"
If I instead of using the cloud sdk use a service account that has admin rights to BigQuery it works, but I need to use authentication through the cloud sdk.
Does anyone know what this error message means or how I can run airflow and using the cloud sdk for authentication?
I have used the following source to try to understand how I can run airflow with BigQueryOperators locally.
https://medium.com/#jbencina/local-testing-with-google-cloud-composer-apache-airflow-75d4213d2893
either you are not working on the right project or you don't have permissions to do this job.
what I suggest is:
check your current configuration by running:
gcloud auth list
make sure that you have the right project and the right account set if not run these commands to set them:
gcloud auth application-default login
you will be prompted for a link. follow it and enter your account. after that you will see a verification code, copy it and add it to your gcloud terminal.
next thing to do is to make sure that your account has permissions to do the job that you are trying. probably you need this role roles/composer.admin if it didn't work add the premitive role roles/editor from your IAM console. But use that premitive role only for testing purposes and it's not adviasable to use it for production level project.
I solved it by deleting the credentials file produced when I did:
gcloud auth application-default login and then recreating the file.
Then it worked. So I had the right method, just that something was broken in the credentials file.
as #dlbech said:
Blockquote
This solution was not enough for me. I solved it by deleting the line "quota_project_id": "myproject" line in the application_default_credentials.json file. I don't know why Airflow doesn't like the quota project ID key, but I tested it multiple times, and this was the problem