GitLab
Proxy for the GitLab REST API via the managed gateway.
What this connector does
Gives agents gated access to a GitLab instance (SaaS or self-hosted) for:
- Listing users, projects, merge requests.
- Creating and editing merge requests.
- Commenting on merge requests.
- Minting project access tokens.
- Listing container-registry repositories and tags.
All operations are gated by PBAC policy. Every call flows: agent → gateway → /introspect (with this connector's resource_type) → OPA decision → GitLab API → response.
The connector supports two authentication modes, chosen at install time:
- Per-user passthrough (
idp_passthrough, default) — the gateway forwards each calling user's own GitLab OAuth token (captured when they log in to PolicyArc through the GitLab IdP). GitLab enforces its own project membership and permissions, and its audit trail shows the real person. - Shared service token (
static) — every call uses one operator-held personal/project/group access token via thePRIVATE-TOKENheader. PolicyArc still enforces per-user policy and audit in front, but GitLab sees a single service identity.
Prerequisites
- The base URL of your GitLab instance (defaults to
https://gitlab.com). - For passthrough mode (default):
- A GitLab OAuth application registered on your GitLab instance
- A GitLab IdP registered in PolicyArc with provider key
gitlab(use the GitLab preset in the IdP setup wizard) - The OAuth application must request the
apiscope in addition to the OIDC login scopes (openid profile email) - Users must log in to PolicyArc through that GitLab IdP — the gateway replays the token captured at login
- For static mode:
- A GitLab access token that has enough permission for the operations you want to gate. Options:
- Personal Access Token — scoped to one user; simplest for PoC.
- Project Access Token — scoped to one project; recommended for production if the agent only needs one project.
- Group Access Token — scoped to a group of projects.
- A GitLab access token that has enough permission for the operations you want to gate. Options:
Install
1. Set up authentication
For passthrough mode (default)
-
Create a GitLab OAuth application:
- On your GitLab instance, go to User Settings → Applications (or Admin Area → Applications for instance-wide)
- Name: Choose any name (e.g., "PolicyArc MR-75")
- Redirect URI: Your PolicyArc tenant's callback URL:
https://<your-tenant>/oauth2/callback - Confidential: Yes (check the box)
- Scopes: Select
openid,profile,email, andapi - Click Save application and note the Application ID and Secret
-
Register the GitLab IdP in PolicyArc:
- In your tenant's admin UI: Identity Providers → Add → GitLab preset
- Issuer: Your GitLab URL (e.g.,
https://git.identos.ca) - Client ID: The Application ID from step 1
- Client Secret: The Secret from step 1
- The preset auto-discovers the OIDC endpoints
No credential provisioning needed — users log in with their own GitLab accounts.
For static mode
Create a GitLab access token with the minimum scopes you need. For MR automation:
| Operation | Minimum GitLab scope |
|---|---|
| List projects/MRs/notes | read_api |
| Create/edit MRs, post comments | api |
| Create project access tokens | api + project Owner/Maintainer |
| Container registry | read_registry |
Put the token in an environment variable the PBAC AS can read:
export GITLAB_PRIVATE_TOKEN="glpat-..."