GitLab v8.10.0, Mar 21 25

GitLab v8.10.0 published on Friday, Mar 21, 2025 by Pulumi

gitlab.GroupServiceAccountAccessToken

Explore with Pulumi AI

GitLab v8.10.0 published on Friday, Mar 21, 2025 by Pulumi

Reading the access token status of a service account requires an admin token or a top-level group owner token on gitlab.com. As a result, this resource will ignore permission errors when attempting to read the token status, and will rely on the values in state instead. This can lead to apply-time failures if the token configured for the provider doesn’t have permissions to rotate tokens for the service account.

Use rotation_configuration to automatically rotate tokens instead of using timestamp() as timestamp will cause changes with every plan. pulumi up must still be run to rotate the token.

Due to a limitation in the API, the rotation_configuration is unable to set the new expiry date before GitLab 17.9. Instead, when the resource is created, it will default the expiry date to 7 days in the future. On each subsequent apply, the new expiry will be 7 days from the date of the apply.

Upstream API: GitLab API docs

Create GroupServiceAccountAccessToken Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new GroupServiceAccountAccessToken(name: string, args: GroupServiceAccountAccessTokenArgs, opts?: CustomResourceOptions);

@overload
def GroupServiceAccountAccessToken(resource_name: str,
                                   args: GroupServiceAccountAccessTokenArgs,
                                   opts: Optional[ResourceOptions] = None)

@overload
def GroupServiceAccountAccessToken(resource_name: str,
                                   opts: Optional[ResourceOptions] = None,
                                   group: Optional[str] = None,
                                   scopes: Optional[Sequence[str]] = None,
                                   user_id: Optional[int] = None,
                                   expires_at: Optional[str] = None,
                                   name: Optional[str] = None,
                                   rotation_configuration: Optional[GroupServiceAccountAccessTokenRotationConfigurationArgs] = None)

func NewGroupServiceAccountAccessToken(ctx *Context, name string, args GroupServiceAccountAccessTokenArgs, opts ...ResourceOption) (*GroupServiceAccountAccessToken, error)

public GroupServiceAccountAccessToken(string name, GroupServiceAccountAccessTokenArgs args, CustomResourceOptions? opts = null)

public GroupServiceAccountAccessToken(String name, GroupServiceAccountAccessTokenArgs args)
public GroupServiceAccountAccessToken(String name, GroupServiceAccountAccessTokenArgs args, CustomResourceOptions options)

type: gitlab:GroupServiceAccountAccessToken
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args GroupServiceAccountAccessTokenArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args GroupServiceAccountAccessTokenArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args GroupServiceAccountAccessTokenArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args GroupServiceAccountAccessTokenArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args GroupServiceAccountAccessTokenArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var groupServiceAccountAccessTokenResource = new GitLab.GroupServiceAccountAccessToken("groupServiceAccountAccessTokenResource", new()
{
    Group = "string",
    Scopes = new[]
    {
        "string",
    },
    UserId = 0,
    ExpiresAt = "string",
    Name = "string",
    RotationConfiguration = new GitLab.Inputs.GroupServiceAccountAccessTokenRotationConfigurationArgs
    {
        RotateBeforeDays = 0,
        ExpirationDays = 0,
    },
});

example, err := gitlab.NewGroupServiceAccountAccessToken(ctx, "groupServiceAccountAccessTokenResource", &gitlab.GroupServiceAccountAccessTokenArgs{
	Group: pulumi.String("string"),
	Scopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	UserId:    pulumi.Int(0),
	ExpiresAt: pulumi.String("string"),
	Name:      pulumi.String("string"),
	RotationConfiguration: &gitlab.GroupServiceAccountAccessTokenRotationConfigurationArgs{
		RotateBeforeDays: pulumi.Int(0),
		ExpirationDays:   pulumi.Int(0),
	},
})

var groupServiceAccountAccessTokenResource = new GroupServiceAccountAccessToken("groupServiceAccountAccessTokenResource", GroupServiceAccountAccessTokenArgs.builder()
    .group("string")
    .scopes("string")
    .userId(0)
    .expiresAt("string")
    .name("string")
    .rotationConfiguration(GroupServiceAccountAccessTokenRotationConfigurationArgs.builder()
        .rotateBeforeDays(0)
        .expirationDays(0)
        .build())
    .build());

group_service_account_access_token_resource = gitlab.GroupServiceAccountAccessToken("groupServiceAccountAccessTokenResource",
    group="string",
    scopes=["string"],
    user_id=0,
    expires_at="string",
    name="string",
    rotation_configuration={
        "rotate_before_days": 0,
        "expiration_days": 0,
    })

const groupServiceAccountAccessTokenResource = new gitlab.GroupServiceAccountAccessToken("groupServiceAccountAccessTokenResource", {
    group: "string",
    scopes: ["string"],
    userId: 0,
    expiresAt: "string",
    name: "string",
    rotationConfiguration: {
        rotateBeforeDays: 0,
        expirationDays: 0,
    },
});

type: gitlab:GroupServiceAccountAccessToken
properties:
    expiresAt: string
    group: string
    name: string
    rotationConfiguration:
        expirationDays: 0
        rotateBeforeDays: 0
    scopes:
        - string
    userId: 0

GroupServiceAccountAccessToken Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The GroupServiceAccountAccessToken resource accepts the following input properties:

Group string: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
Scopes List<string>: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
UserId int: The ID of a service account user.
ExpiresAt string: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
Name string: The name of the personal access token.
RotationConfiguration Pulumi.GitLab.Inputs.GroupServiceAccountAccessTokenRotationConfiguration: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.

Group string: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
Scopes []string: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
UserId int: The ID of a service account user.
ExpiresAt string: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
Name string: The name of the personal access token.
RotationConfiguration GroupServiceAccountAccessTokenRotationConfigurationArgs: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.

group String: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
scopes List<String>: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
userId Integer: The ID of a service account user.
expiresAt String: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
name String: The name of the personal access token.
rotationConfiguration GroupServiceAccountAccessTokenRotationConfiguration: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.

group string: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
scopes string[]: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
userId number: The ID of a service account user.
expiresAt string: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
name string: The name of the personal access token.
rotationConfiguration GroupServiceAccountAccessTokenRotationConfiguration: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.

group str: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
scopes Sequence[str]: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
user_id int: The ID of a service account user.
expires_at str: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
name str: The name of the personal access token.
rotation_configuration GroupServiceAccountAccessTokenRotationConfigurationArgs: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.

group String: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
scopes List<String>: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
userId Number: The ID of a service account user.
expiresAt String: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
name String: The name of the personal access token.
rotationConfiguration Property Map: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.

Outputs

All input properties are implicitly available as output properties. Additionally, the GroupServiceAccountAccessToken resource produces the following output properties:

Active bool: True if the token is active.
CreatedAt string: Time the token has been created, RFC3339 format.
Id string: The provider-assigned unique ID for this managed resource.
Revoked bool: True if the token is revoked.
Token string: The token of the group service account access token. Note: the token is not available for imported resources.

Active bool: True if the token is active.
CreatedAt string: Time the token has been created, RFC3339 format.
Id string: The provider-assigned unique ID for this managed resource.
Revoked bool: True if the token is revoked.
Token string: The token of the group service account access token. Note: the token is not available for imported resources.

active Boolean: True if the token is active.
createdAt String: Time the token has been created, RFC3339 format.
id String: The provider-assigned unique ID for this managed resource.
revoked Boolean: True if the token is revoked.
token String: The token of the group service account access token. Note: the token is not available for imported resources.

active boolean: True if the token is active.
createdAt string: Time the token has been created, RFC3339 format.
id string: The provider-assigned unique ID for this managed resource.
revoked boolean: True if the token is revoked.
token string: The token of the group service account access token. Note: the token is not available for imported resources.

active bool: True if the token is active.
created_at str: Time the token has been created, RFC3339 format.
id str: The provider-assigned unique ID for this managed resource.
revoked bool: True if the token is revoked.
token str: The token of the group service account access token. Note: the token is not available for imported resources.

active Boolean: True if the token is active.
createdAt String: Time the token has been created, RFC3339 format.
id String: The provider-assigned unique ID for this managed resource.
revoked Boolean: True if the token is revoked.
token String: The token of the group service account access token. Note: the token is not available for imported resources.

Look up Existing GroupServiceAccountAccessToken Resource

Get an existing GroupServiceAccountAccessToken resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: GroupServiceAccountAccessTokenState, opts?: CustomResourceOptions): GroupServiceAccountAccessToken

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        active: Optional[bool] = None,
        created_at: Optional[str] = None,
        expires_at: Optional[str] = None,
        group: Optional[str] = None,
        name: Optional[str] = None,
        revoked: Optional[bool] = None,
        rotation_configuration: Optional[GroupServiceAccountAccessTokenRotationConfigurationArgs] = None,
        scopes: Optional[Sequence[str]] = None,
        token: Optional[str] = None,
        user_id: Optional[int] = None) -> GroupServiceAccountAccessToken

func GetGroupServiceAccountAccessToken(ctx *Context, name string, id IDInput, state *GroupServiceAccountAccessTokenState, opts ...ResourceOption) (*GroupServiceAccountAccessToken, error)

public static GroupServiceAccountAccessToken Get(string name, Input<string> id, GroupServiceAccountAccessTokenState? state, CustomResourceOptions? opts = null)

public static GroupServiceAccountAccessToken get(String name, Output<String> id, GroupServiceAccountAccessTokenState state, CustomResourceOptions options)

resources:  _:    type: gitlab:GroupServiceAccountAccessToken    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Active bool: True if the token is active.
CreatedAt string: Time the token has been created, RFC3339 format.
ExpiresAt string: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
Group string: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
Name string: The name of the personal access token.
Revoked bool: True if the token is revoked.
RotationConfiguration Pulumi.GitLab.Inputs.GroupServiceAccountAccessTokenRotationConfiguration: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.
Scopes List<string>: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
Token string: The token of the group service account access token. Note: the token is not available for imported resources.
UserId int: The ID of a service account user.

Active bool: True if the token is active.
CreatedAt string: Time the token has been created, RFC3339 format.
ExpiresAt string: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
Group string: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
Name string: The name of the personal access token.
Revoked bool: True if the token is revoked.
RotationConfiguration GroupServiceAccountAccessTokenRotationConfigurationArgs: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.
Scopes []string: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
Token string: The token of the group service account access token. Note: the token is not available for imported resources.
UserId int: The ID of a service account user.

active Boolean: True if the token is active.
createdAt String: Time the token has been created, RFC3339 format.
expiresAt String: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
group String: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
name String: The name of the personal access token.
revoked Boolean: True if the token is revoked.
rotationConfiguration GroupServiceAccountAccessTokenRotationConfiguration: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.
scopes List<String>: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
token String: The token of the group service account access token. Note: the token is not available for imported resources.
userId Integer: The ID of a service account user.

active boolean: True if the token is active.
createdAt string: Time the token has been created, RFC3339 format.
expiresAt string: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
group string: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
name string: The name of the personal access token.
revoked boolean: True if the token is revoked.
rotationConfiguration GroupServiceAccountAccessTokenRotationConfiguration: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.
scopes string[]: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
token string: The token of the group service account access token. Note: the token is not available for imported resources.
userId number: The ID of a service account user.

active bool: True if the token is active.
created_at str: Time the token has been created, RFC3339 format.
expires_at str: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
group str: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
name str: The name of the personal access token.
revoked bool: True if the token is revoked.
rotation_configuration GroupServiceAccountAccessTokenRotationConfigurationArgs: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.
scopes Sequence[str]: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
token str: The token of the group service account access token. Note: the token is not available for imported resources.
user_id int: The ID of a service account user.

active Boolean: True if the token is active.
createdAt String: Time the token has been created, RFC3339 format.
expiresAt String: The service account access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens.
group String: The ID or URL-encoded path of the group containing the service account. Must be a top level group.
name String: The name of the personal access token.
revoked Boolean: True if the token is revoked.
rotationConfiguration Property Map: The configuration for when to rotate a token automatically. Will not rotate a token until pulumi up is run.
scopes List<String>: The scopes of the group service account access token. valid values are: api, read_api, read_registry, write_registry, read_repository, write_repository, create_runner, manage_runner, ai_features, k8s_proxy, read_observability, write_observability
token String: The token of the group service account access token. Note: the token is not available for imported resources.
userId Number: The ID of a service account user.

Supporting Types

GroupServiceAccountAccessTokenRotationConfiguration, GroupServiceAccountAccessTokenRotationConfigurationArgs

RotateBeforeDays int: The duration (in days) before the expiration when the token should be rotated. As an example, if set to 7 days, the token will rotate 7 days before the expiration date, but only when pulumi up is run in that timeframe.
ExpirationDays int: The duration (in days) the new token should be valid for.

RotateBeforeDays int: The duration (in days) before the expiration when the token should be rotated. As an example, if set to 7 days, the token will rotate 7 days before the expiration date, but only when pulumi up is run in that timeframe.
ExpirationDays int: The duration (in days) the new token should be valid for.

rotateBeforeDays Integer: The duration (in days) before the expiration when the token should be rotated. As an example, if set to 7 days, the token will rotate 7 days before the expiration date, but only when pulumi up is run in that timeframe.
expirationDays Integer: The duration (in days) the new token should be valid for.

rotateBeforeDays number: The duration (in days) before the expiration when the token should be rotated. As an example, if set to 7 days, the token will rotate 7 days before the expiration date, but only when pulumi up is run in that timeframe.
expirationDays number: The duration (in days) the new token should be valid for.

rotate_before_days int: The duration (in days) before the expiration when the token should be rotated. As an example, if set to 7 days, the token will rotate 7 days before the expiration date, but only when pulumi up is run in that timeframe.
expiration_days int: The duration (in days) the new token should be valid for.

rotateBeforeDays Number: The duration (in days) before the expiration when the token should be rotated. As an example, if set to 7 days, the token will rotate 7 days before the expiration date, but only when pulumi up is run in that timeframe.
expirationDays Number: The duration (in days) the new token should be valid for.

Import

Starting in Terraform v1.5.0 you can use an import block to import gitlab_group_service_account_access_token. For example:

terraform

import {

to = gitlab_group_service_account_access_token.example

id = “see CLI command below for ID”

}

Import using the CLI is supported using the following syntax:

$ pulumi import gitlab:index/groupServiceAccountAccessToken:GroupServiceAccountAccessToken You can import a service account access token using `<resource> <id>`. The

id is in the form of <group_id>:<service_account_id>:<access_token_id>

Importing an access token does not import the access token value.

$ pulumi import gitlab:index/groupServiceAccountAccessToken:GroupServiceAccountAccessToken example 1:2:3

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: GitLab pulumi/pulumi-gitlab
License: Apache-2.0
Notes: This Pulumi package is based on the gitlab Terraform Provider.

GitLab v8.10.0 published on Friday, Mar 21, 2025 by Pulumi

pulumi/pulumi-gitlab

gitlab.GroupServiceAccountAccessToken

On this page

On this page

Create GroupServiceAccountAccessToken Resource

Constructor syntax

Parameters

Constructor example

GroupServiceAccountAccessToken Resource Properties

Inputs

Outputs

Look up Existing GroupServiceAccountAccessToken Resource

Supporting Types

GroupServiceAccountAccessTokenRotationConfiguration, GroupServiceAccountAccessTokenRotationConfigurationArgs

Import

Package Details

On this page

On this page