diff --git a/app/assets/javascripts/token_access/components/inbound_token_access.vue b/app/assets/javascripts/token_access/components/inbound_token_access.vue
index ef5be9f499a17e958d1b09e454e7aa0d9bf3ad26..04474ed952701963ed6af0a10a67ed059f4bb252 100644
--- a/app/assets/javascripts/token_access/components/inbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/inbound_token_access.vue
@@ -29,9 +29,12 @@ export default {
i18n: {
toggleLabelTitle: s__('CICD|Limit access %{italicStart}to%{italicEnd} this project'),
toggleDescription: s__(
- `CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}.`,
+ `CICD|When enabled, only groups and projects in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. When disabled, any group or project can do so. %{linkStart}Learn more%{linkEnd}.`,
+ ),
+ cardHeaderTitle: s__('CICD|Authorized groups and projects'),
+ cardHeaderDescription: s__(
+ `CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist.`,
),
- cardHeaderTitle: s__('CICD|Groups and projects with access'),
settingDisabledMessage: s__(
'CICD|Access unrestricted, so users with sufficient permissions in this project can authenticate with a job token generated in any other project. Enable this setting to restrict authentication to only job tokens generated in the groups and projects in the allowlist below.',
),
@@ -284,7 +287,7 @@ export default {
<div>
<gl-card
class="gl-new-card"
- header-class="gl-new-card-header gl-border-bottom-0"
+ header-class="gl-new-card-header gl-border-bottom-0 gl-flex-wrap gl-md-flex-nowrap"
body-class="gl-new-card-body gl-px-0"
>
<template #header>
@@ -310,8 +313,9 @@ export default {
{{ projectCount }}
</span>
</div>
+ <p class="gl-text-secondary">{{ $options.i18n.cardHeaderDescription }}</p>
</div>
- <div class="gl-new-card-actions">
+ <div class="gl-new-card-actions gl-w-full gl-md-w-auto gl-text-right">
<gl-button
v-if="!isAddFormVisible"
size="small"
diff --git a/app/assets/javascripts/token_access/components/outbound_token_access.vue b/app/assets/javascripts/token_access/components/outbound_token_access.vue
index c3d08b884fee164648620763b8b1c012520f7881..d98a91529d2cf0b8937891bfb77ef06412c8ba99 100644
--- a/app/assets/javascripts/token_access/components/outbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/outbound_token_access.vue
@@ -21,7 +21,7 @@ import getCIJobTokenScopeQuery from '../graphql/queries/get_ci_job_token_scope.q
import getProjectsWithCIJobTokenScopeQuery from '../graphql/queries/get_projects_with_ci_job_token_scope.query.graphql';
import TokenAccessTable from './token_access_table.vue';
-// Note: This component will be removed in 17.0, as the outbound access token is getting deprecated
+// Note: This component will be removed in 18.0, as the outbound access token is getting deprecated
export default {
i18n: {
toggleLabelTitle: s__(
diff --git a/app/views/projects/settings/ci_cd/show.html.haml b/app/views/projects/settings/ci_cd/show.html.haml
index f21386065bb344f0a277d00df7d686520e0612fd..6df016c4ed265e8f227045359cf72ac108724d0b 100644
--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -105,11 +105,11 @@
%section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
.settings-header
%h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
- = _("Token Access")
+ = _("Job token permissions")
= render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
= expanded ? _('Collapse') : _('Expand')
%p.gl-text-secondary
- = _("Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects.")
+ = _("Control whether CI/CD job tokens can be used to authenticate with this project.")
.settings-content
= render 'ci/token_access/index'
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index ee5bd6836433b97c274ade05fa5511edd5aa76a6..3796a6f38a61224b61bdea58cc56e54d5a2b6296 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -88,6 +88,7 @@ with a job token from any project. These resources can also be [limited to only
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/) in GitLab 15.10.
> - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
> - Adding groups to the job token allowlist [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
You can add groups or projects to your job token allowlist to allow access your project's resources
with a job token for authentication. By default, the allowlist of any project only includes itself.
@@ -112,7 +113,7 @@ To add a group or project to the allowlist:
1. On the left sidebar, select **Search or go to** and find your project.
1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
1. Ensure the **Limit access _to_ this project** toggle is enabled. Enabled by default in new projects.
It is a security risk to disable this feature, so project maintainers or owners should
keep this setting enabled at all times.
@@ -151,6 +152,7 @@ To set a feature to be only visible to project members:
### Allow any project to access your project
> - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
WARNING:
It is a security risk to disable the token access limit and allowlist. A malicious user could try to compromise
@@ -172,7 +174,7 @@ To disable the job token scope allowlist:
1. On the left sidebar, select **Search or go to** and find your project.
1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
1. Toggle **Limit access _to_ this project** to disabled.
Enabled by default in new projects.
@@ -230,6 +232,7 @@ to make an API request to project `B`, then `B` must be added to the allowlist f
### Configure the job token scope (deprecated)
> - **Limit CI_JOB_TOKEN access** setting [renamed to **Limit access _from_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
Prerequisites:
@@ -239,7 +242,7 @@ To configure the job token scope:
1. On the left sidebar, select **Search or go to** and find your project.
1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
1. Toggle **Limit access _from_ this project** to enabled.
1. Optional. Add existing projects to the token's access scope. The user adding a
project must have the Maintainer role in both projects.
diff --git a/lib/search/settings.rb b/lib/search/settings.rb
index 9f83af8548198a6a0bea039ff23e699dfd3e44a6..cb18b0d27a038f1599670ab52ff8f97f2da93e1d 100644
--- a/lib/search/settings.rb
+++ b/lib/search/settings.rb
@@ -58,7 +58,7 @@ def project_ci_cd_settings(project)
href: project_settings_ci_cd_path(project, anchor: 'js-pipeline-triggers') },
{ text: _("Deploy freezes"),
href: project_settings_ci_cd_path(project, anchor: 'js-deploy-freeze-settings') },
- { text: _("Token Access"), href: project_settings_ci_cd_path(project, anchor: 'js-token-access') },
+ { text: _("Job token permissions"), href: project_settings_ci_cd_path(project, anchor: 'js-token-access') },
{ text: _("Secure Files"),
href: project_settings_ci_cd_path(project, anchor: 'js-secure-files') }
]
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 7b45b24093026a2444276b43b3a57fad352b4a28..3895227e8c467061a1ac3a3ea05f3f4a1f0ab826 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -10069,7 +10069,7 @@ msgstr ""
msgid "CICD|Add an existing project to the scope"
msgstr ""
-msgid "CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}."
+msgid "CICD|Authorized groups and projects"
msgstr ""
msgid "CICD|Auto DevOps"
@@ -10102,7 +10102,7 @@ msgstr ""
msgid "CICD|Enable feature to limit job token access to the following projects."
msgstr ""
-msgid "CICD|Groups and projects with access"
+msgid "CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist."
msgstr ""
msgid "CICD|Jobs"
@@ -10147,6 +10147,9 @@ msgstr ""
msgid "CICD|Use separate caches for protected branches"
msgstr ""
+msgid "CICD|When enabled, only groups and projects in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. When disabled, any group or project can do so. %{linkStart}Learn more%{linkEnd}."
+msgstr ""
+
msgid "CICD|group enabled"
msgstr ""
@@ -14944,7 +14947,7 @@ msgstr ""
msgid "Contributor analytics"
msgstr ""
-msgid "Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects."
+msgid "Control whether CI/CD job tokens can be used to authenticate with this project."
msgstr ""
msgid "Control whether to display customer experience improvement content and third-party offers in GitLab."
@@ -29664,6 +29667,9 @@ msgstr ""
msgid "Job logs and artifacts"
msgstr ""
+msgid "Job token permissions"
+msgstr ""
+
msgid "Job was retried"
msgstr ""
@@ -55331,9 +55337,6 @@ msgstr ""
msgid "Token"
msgstr ""
-msgid "Token Access"
-msgstr ""
-
msgid "Token name"
msgstr ""