Add support for adding a single deploy key to multiple projects in a namespace/group as a non-administrator

[vchepkov]

When I try to configure same deploy key on the group of the projects, gitlabform fails:

Request url='https://gitlab.example.com/api/v4/deploy_keys?per_page=100', method=GET, failed - expected code(s) [200], got code 403 & body: '{"message":"403 Forbidden"}'

That API is reserved for administrators only. But, as a non-administrator I should able to create private keys for the projects and assign them to multiple projects:

https://archives.docs.gitlab.com/16.3/ee/api/deploy_keys.html#add-deploy-keys-to-multiple-projects

I certainly can using gitlab's GUI and deploy_key works only for a single project, just not for the group specified by *

GitLabForm version
🏗 GitLabForm version: 3.9.7 = the latest stable 😊

GitLab version
v16.3.7-ee

[amimas]

Hi @vchepkov - Could you please clarify the following?

When I try to configure same deploy key on the group of the projects, gitlabform fails:

Can you share your gitlabform config? As you mentioned in the issue title, I believe the above is not supported by gitlabform at the moment.

That API is reserved for administrators only. But, as a non-administrator I should able to create private keys for the projects and assign them to multiple projects:

Not sure what you meant here. When gitlabform is executed, it will run using the scope/permission of the user whose access token is used. So, if an API requires admin permission and the token does not have admin permission, gitlabform won't be able to make use of that API.

I think there's 2 different use case here:

• Enable an existing deploy key to another project
• Add a deploy key to multiple projects in the same namespace

Looks like you're interested in the 2nd use case. Would you be able to help contribute this feature? Can you suggest what the config syntax should look like? The tricky issue here is how to separate this new config from the existing config so that they aren't clashing/conflicting with each other. Or, maybe that's not an issue. Haven't really thought about it yet.

[vchepkov]

Hi, @amimas ,

The configuration I attempt to use is very basic:

  "it/puppet/*":
    merge_requests_approval_rules:
      approvers:
        name: "Approvers"
        approvals_required: 1
        applies_to_all_protected_branches: true
        groups:
          - merge-request-approvers/puppet
    deploy_keys:
      puppet:
        key: "ssh-rsa AAAAB..."
        title: puppet
        can_push: false

We have many projects inside that subgroup

Based on the error, API call /deploy_keys is not handled properly:

failed - expected code(s) [200], got code 403

It is not expected to succeed for non-administrative user
https://archives.docs.gitlab.com/16.3/ee/api/deploy_keys.html#list-all-deploy-keys

Get a list of all deploy keys across all projects of the GitLab instance. This endpoint requires administrator access and is not available on GitLab.com.

[amimas]

Thanks for the details @vchepkov . Sounds like gitlabform currently tries to get all deploy keys which requires admin access and at least in gitlab.com, this won't be available. It could affect self-hosted gitlab too but at least in that case it might be possible to get an admin user, although in a highly restricted environment, that might not be available.

So ideally, gitlabform needs to use the following endpoint when it encounters the above exception listing all deploy keys.

users/:id_or_username/project_deploy_keys

In my opinion, we should split this issue into 2. One is for addressing the access issue and the second is for ability to add a deploy key to multiple projects. For the second one, I wonder if we need to discuss the config syntax a bit more. Your sample config looks fine to me but haven't really thought it through yet.

cc: @gdubicki @TimKnight-DWP