A group access token cannot be used to rotate itself (api scope and owner role)
Summary
A group access token cannot be used to rotate itself (api scope and owner role)
I want to refresh a token with a scheduled job.
Steps to reproduce
- Define a group access token with: scope: ["api"] level "owner".
Generated token will be specified as
{{token}}on following steps
- Use the generated token to retrieve itself metadata and fetch
token_id
GET /api/v4/groups/{{group_id}}/access_tokens HTTP/1.1
Private-Token: {{token}}
Content-Type: application/json
Host: {{gitlab_host}}- Call the api rotate token
POST /api/v4/groups/{{group_id}}/access_tokens/{{token_id}}/rotate HTTP/1.1
Private-Token: {{token}}
Content-Type: application/json
Host: {{gitlab_host}}What is the current bug behavior?
POST http returns 401 Unauthorized
What is the expected correct behavior?
POST http returns 200 OK with the rotated token