Jenkins API - is there a non-user (e.g. job-based) API token for read-only access?

Question

There used to be a way for an anonymous user - such as a script - to query certain aspects of Jenkins via its REST API. For example, finding out the name of a user who started a particular build job, or the date it executed. However the security model changed in the last few years which seems to make this much more difficult, even for read-only access.

I'm using Jenkins with ADS authentication. I need to provide API access to a script, but I don't want to use a particular user's personal API token (hard-coded in the script) because the script might be run by anyone in my organisation, including as part of other automation, and I don't want to tie this to a specific employee.

Instead I need a job-based token - one which is set for the job. There's a build token, but I don't think this works for the REST API.

I thought about creating a special "auto" user, and creating a token for that user, but the Active Directory config seems to prevent me from creating new Jenkins users. I cannot create a new AD user because I simply don't have the ability to do that in my organisation.

What's the best approach to using API tokens for anonymous access? Also, is there a way to ensure the token only provides limited access - e.g. read only? Ideally such a token would be restricted to a specific set of jobs, rather than global.

Answer 1

There is not. Feature request is JENKINS-56465.

Answer 2

See https://stackoverflow.com/a/49938577/97831 on how to add users to the Jenkins database with authentication already enabled.

API tokens are the same as password, functionally speaking. If you could do it with the password, you can do it with the API token. If you want an API token to have read-only access, then the user it's associated with should be restricted to read-only access.