GitLab Access Token Extender

A Python utility to automatically extend the expiration dates of GitLab access tokens that are about to expire. This tool can handle Personal Access Tokens (PATs), Group Access Tokens, and Project Access Tokens.

Overview

This script helps GitLab administrators manage access tokens by:

• Identifying tokens that are expiring soon (within 30 days by default)
• Automatically extending their expiration dates by one year
• Supporting multiple token types (Personal, Group, and Project tokens)
• Providing options to either check expiring tokens or automatically extend them

Requirements

• Python 3.6+
• Access to GitLab server with administrative privileges
• Required Python packages:

  python-gitlab
  python-dotenv
  

• GitLab server access with ability to run gitlab-rails runner

Installation

1. On the GitLab server itself, Clone this repository:

   cd /opt
   git clone [repository-url]
   cd gitlab-access-token-extender

2. Install required Python packages:

   pip install python-gitlab python-dotenv
   
   # or 
   
   apt-get install python3-dotenv python3-gitlab 

3. Copy the .env.example to .env , example:

   GITLAB_ACCESS_TOKEN=your_admin_access_token # MUST BE ADMIN TOKEN, DONT WORRY THIS WILL GET EXTENDED TOO :)
   GITLAB_API_URL=https://gitlab.example.com

4. Setup cron and rest easy, In this example: daily

   echo -e '@daily root cd /opt/gitlab-access-token-extender; ./extend.py\n' > /etc/cron.d/gitlab-access-token-extender

Configuration

The script requires two environment variables:

• GITLAB_ACCESS_TOKEN: An admin-level access token with sufficient permissions to:

  • Read all access tokens
  • Read user information
  • Read group information
  • Read project information

• GITLAB_API_URL: The URL of your GitLab instance

These can be set either in the .env file or as environment variables.

Usage

Running on GitLab Server

Since this script needs to execute Rails commands, it should be run on the GitLab server itself:

cd /opt/gitlab-access-token-extender
./extend.py

Command Line Options

• No arguments: Extends all expiring tokens
• --check-expiry: Only checks for tokens that will expire within 30 days without extending them

Logging

Logs will be written to ./extender.log

How It Works

1. The script connects to your GitLab instance using the provided admin token
2. It searches through all:
   • Personal Access Tokens
   • Group Access Tokens
   • Project Access Tokens
3. For each token, it checks if:
   • The token is active (not revoked)
   • The token is expiring within 30 days
   • For PATs: the user is still active
4. For tokens meeting these criteria, it:
   • Creates a temporary Ruby script with the necessary commands
   • Uses gitlab-rails runner to execute the commands
   • Extends the expiration date by one year
5. Provides feedback about the operations performed

Security Considerations

• The script should be run on the GitLab server itself
• The admin token used should be kept secure
• The .env file should have restricted permissions
• Temporary files are created in /tmp and immediately deleted after use

Error Handling

The script includes error handling for:

• Missing environment variables
• GitLab API access issues
• Rails command execution failures
• Individual token access errors (continues processing other tokens)

Limitations

• Must be run on the GitLab server
• Requires admin-level access
• Currently does not handle Deploy Tokens
• Extends all qualifying tokens by exactly one year