GitLab Pipelines provide the ability to define a workflow that has externalized variables that can be set at the direct project level, or inherited from the group or instance level.
These can be viewed in the GitLab web UI, but for scripting and automation can also be queried from the GitLab REST API or GraphQL API.
Query for project ID given full path
In order to make the following GitLab API calls, you need to have a GitLab Personal access token (PAT), and export it as an environment variable.
export GITLAB_PAT=glpat-xxxxxxxxxx
You should have the full path to the project in-hand already, but you may not have the numerical id of that project. While this can be manually viewed through the web UI at Settings>General, let’s do it programmatically.
GITLAB_HOST="gitlab.com" project_path="myroot-group/myparent-group/myproject" # retrieve full details of project project_path_encoded=$(echo -n "$project_path" | jq -sRr @uri) project_json=$(curl -s -XGET -H "Content-Type: application/json" --header "PRIVATE-TOKEN: $GITLAB_PAT" "https://$GITLAB_HOST/api/v4/projects/$project_path_encoded") # parse out just project id project_id=$(echo "$project_json" | jq -r '.id')
Query project level CI/CD variables
Now armed with the project identifier, we can query for the project-level CI/CD variables.
# query project-level CI/CD variables REST_URL="https://$GITLAB_HOST/api/v4/projects/$project_id/variables" curl --silent --header "PRIVATE-TOKEN: $GITLAB_PAT" "$REST_URL"
Query group-level CI/CD variables
If this project is part of a group, the CI/CD variables from that parent group will be inherited and also applied to the project.
# get parent group identifier from project details group_id=$(echo "$project_json" | jq -r 'select(.namespace.kind == "group") | .namespace.id') # query group-level CI/CD variables (requires group ownership) REST_URL="https://$GITLAB_HOST/api/v4/groups/$group_id/variables" curl --silent --header "PRIVATE-TOKEN: $GITLAB_PAT" "$REST_URL"
Note that a project can be part of an inherited chain of many groups, this only returns the CI/CD variables of the immediate parent. You would need to add logic to query down each parent group in order to get the full list of inherited values.
Query inherited CI/CD variables using GraphQL
As noted above, if you do not own the group then you cannot query its CI/CD variables. However, notice that through the GitLab web UI, if you view a project you can see its inherited CI/CD group+instance variables. You cannot see their values, BUT you can see their names and types.
This is because there is an alternative way of querying GitLab called GraphQL, that supports a ‘inheritedCiVariables’ query that can recursively fetch all the CI/CD variables for a project (but not their values).
GRAPHQL_URL="https://$GITLAB_HOST/api/graphql"
GRAPHQL_QUERY="query {
project(fullPath: \"$project_path\") {
inheritedCiVariables {
nodes {
key
variableType
environmentScope
protected
groupName
}
}
}
}"
# query inherited CI/CD variables
curl --silent --header "Authorization: Bearer $GITLAB_PAT" \
--header "Content-Type: application/json" \
--data "{\"query\": $(echo "$GRAPHQL_QUERY" | jq -aRs .)}" \
"$GRAPHQL_URL"
Example script
I have a full example script, gitlab-query-ci-cd-vars.sh available.
# download script and make executable wget https://raw.githubusercontent.com/fabianlee/blogcode/refs/heads/master/gitlab/gitlab-query-ci-cd-vars.sh chmod +x gitlab-query-ci-cd-vars.sh # do queries for project and inherited CI/CD vars # make sure GITLAB_PAT exists as env variable ./gitlab-query-ci-cd-vars.sh /full/path/mygitlab_project
REFERENCES
GitLab docs, API project level variables
GitLab docs, API group level variables
GitLab docs, create Personal Access Token
NOTES
# list only explicitly defined project variables
curl –request GET –header “PRIVATE-TOKEN: <your_access_token>” “https://gitlab.example.com/api/v4/projects/<project_id>/variables”
# list group level vars
curl –request GET –header “PRIVATE-TOKEN: <your_access_token>” “https://gitlab.example.com/api/v4/groups/<group_id>/variables”