debian-mirror-gitlab/doc/user/project/settings/project_access_tokens.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

126 lines
7.5 KiB
Markdown
Raw Normal View History

2020-10-24 23:57:45 +05:30
---
2021-01-03 14:25:43 +05:30
stage: Manage
2022-04-04 11:22:00 +05:30
group: Authentication and Authorization
2021-02-22 17:27:13 +05:30
info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments"
2020-10-24 23:57:45 +05:30
type: reference, howto
---
2020-05-24 23:13:21 +05:30
2021-01-03 14:25:43 +05:30
# Project access tokens
2021-09-30 23:02:18 +05:30
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/210181) in GitLab 13.0.
2021-03-11 19:13:27 +05:30
> - [Became available on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/235765) in GitLab 13.5 for paid groups only.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/235765) in GitLab 13.5.
2021-12-11 22:18:48 +05:30
> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/342327) in GitLab 14.5. Default prefix added.
2021-02-22 17:27:13 +05:30
2022-06-21 17:19:12 +05:30
Project access tokens are similar to passwords, except you can [limit access to resources](#scopes-for-a-project-access-token),
select a limited role, and provide an expiry date.
2021-11-11 11:23:49 +05:30
2022-06-21 17:19:12 +05:30
Use a project access token to authenticate:
2020-05-24 23:13:21 +05:30
2022-06-21 17:19:12 +05:30
- With the [GitLab API](../../../api/index.md#personalprojectgroup-access-tokens).
- With Git, when using HTTP Basic Authentication, use:
- Any non-blank value as a username.
- The project access token as the password.
2020-05-24 23:13:21 +05:30
2022-03-02 08:16:31 +05:30
Project access tokens are similar to [group access tokens](../../group/settings/group_access_tokens.md)
2022-06-21 17:19:12 +05:30
and [personal access tokens](../../profile/personal_access_tokens.md).
2022-01-26 12:08:38 +05:30
2022-07-16 23:28:13 +05:30
In self-managed instances, project access tokens are subject to the same [maximum lifetime limits](../../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-access-tokens) as personal access tokens if the limit is set.
2022-05-07 20:08:51 +05:30
2022-01-26 12:08:38 +05:30
You can use project access tokens:
2022-03-02 08:16:31 +05:30
- On GitLab SaaS if you have the Premium license tier or higher. Project access tokens are not available with a [trial license](https://about.gitlab.com/free-trial/).
2022-01-26 12:08:38 +05:30
- On self-managed instances of GitLab, with any license tier. If you have the Free tier:
- Review your security and compliance policies around
2021-11-11 11:23:49 +05:30
[user self-enrollment](../../admin_area/settings/sign_up_restrictions.md#disable-new-sign-ups).
- Consider [disabling project access tokens](#enable-or-disable-project-access-token-creation) to
lower potential abuse.
2020-05-24 23:13:21 +05:30
2022-06-21 17:19:12 +05:30
You cannot use project access tokens to create other access tokens.
2022-01-26 12:08:38 +05:30
Project access tokens inherit the [default prefix setting](../../admin_area/settings/account_and_limit_settings.md#personal-access-token-prefix)
configured for personal access tokens.
2020-05-24 23:13:21 +05:30
2022-01-26 12:08:38 +05:30
## Create a project access token
2021-12-11 22:18:48 +05:30
2022-01-26 12:08:38 +05:30
To create a project access token:
2020-05-24 23:13:21 +05:30
2022-01-26 12:08:38 +05:30
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Access Tokens**.
2022-04-04 11:22:00 +05:30
1. Enter a name. The token name is visible to any user with permissions to view the project.
2022-07-16 23:28:13 +05:30
1. Optional. Enter an expiry date for the token. The token expires on that date at midnight UTC. An instance-wide [maximum lifetime](../../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-access-tokens) setting can limit the maximum allowable lifetime in self-managed instances.
2022-05-07 20:08:51 +05:30
2022-01-26 12:08:38 +05:30
1. Select a role for the token.
1. Select the [desired scopes](#scopes-for-a-project-access-token).
1. Select **Create project access token**.
2020-05-24 23:13:21 +05:30
2022-01-26 12:08:38 +05:30
A project access token is displayed. Save the project access token somewhere safe. After you leave or refresh the page, you can't view it again.
2020-05-24 23:13:21 +05:30
2022-01-26 12:08:38 +05:30
## Revoke a project access token
2021-09-30 23:02:18 +05:30
2022-01-26 12:08:38 +05:30
To revoke a project access token:
2021-03-08 18:12:59 +05:30
2022-01-26 12:08:38 +05:30
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Access Tokens**.
1. Next to the project access token to revoke, select **Revoke**.
2020-05-24 23:13:21 +05:30
2022-01-26 12:08:38 +05:30
## Scopes for a project access token
2020-05-24 23:13:21 +05:30
2022-01-26 12:08:38 +05:30
The scope determines the actions you can perform when you authenticate with a project access token.
2020-10-24 23:57:45 +05:30
2022-01-26 12:08:38 +05:30
| Scope | Description |
|:-------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `api` | Grants complete read and write access to the scoped project API, including the [Package Registry](../../packages/package_registry/index.md). |
| `read_api` | Grants read access to the scoped project API, including the [Package Registry](../../packages/package_registry/index.md). |
| `read_registry` | Allows read access (pull) to the [Container Registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. |
| `write_registry` | Allows write access (push) to the [Container Registry](../../packages/container_registry/index.md). |
| `read_repository` | Allows read access (pull) to the repository. |
| `write_repository` | Allows read and write access (pull and push) to the repository. |
2021-04-29 21:17:54 +05:30
## Enable or disable project access token creation
2021-09-04 01:27:46 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/287707) in GitLab 13.11.
2022-01-26 12:08:38 +05:30
To enable or disable project access token creation for all projects in a top-level group:
2021-10-27 15:23:28 +05:30
2022-01-26 12:08:38 +05:30
1. On the top bar, select **Menu > Groups** and find your group.
1. On the left sidebar, select **Settings > General**.
2022-03-02 08:16:31 +05:30
1. Expand **Permissions and group features**.
1. Under **Permissions**, turn on or off **Allow project and group access token creation**.
2021-10-27 15:23:28 +05:30
2022-01-26 12:08:38 +05:30
Even when creation is disabled, you can still use and revoke existing project access tokens.
2022-04-04 11:22:00 +05:30
## Bot users for projects
2022-01-26 12:08:38 +05:30
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/210181) in GitLab 13.0.
> - [Excluded from license seat use](https://gitlab.com/gitlab-org/gitlab/-/issues/223695) in GitLab 13.5.
2022-04-04 11:22:00 +05:30
Bot users for projects are [GitLab-created service accounts](../../../subscriptions/self_managed/index.md#billable-users).
2022-01-26 12:08:38 +05:30
Each time you create a project access token, a bot user is created and added to the project.
These bot users do not count as licensed seats.
2022-04-04 11:22:00 +05:30
The bot users for projects have [permissions](../../permissions.md#project-members-permissions) that correspond with the
2022-01-26 12:08:38 +05:30
selected role and [scope](#scopes-for-a-project-access-token) of the project access token.
- The name is set to the name of the token.
- The username is set to `project_{project_id}_bot` for the first access token. For example, `project_123_bot`.
2022-03-02 08:16:31 +05:30
- The email is set to `project{project_id}_bot@noreply.{Gitlab.config.gitlab.host}`. For example, `project123_bot@noreply.example.com`.
2022-01-26 12:08:38 +05:30
- For additional access tokens in the same project, the username is set to `project_{project_id}_bot{bot_count}`. For
example, `project_123_bot1`.
2022-03-02 08:16:31 +05:30
- For additional access tokens in the same project, the email is set to `project{project_id}_bot{bot_count}@noreply.{Gitlab.config.gitlab.host}`.
For example, `project123_bot1@noreply.example.com`.
2022-01-26 12:08:38 +05:30
API calls made with a project access token are associated with the corresponding bot user.
2022-04-04 11:22:00 +05:30
Bot users for projects:
2022-01-26 12:08:38 +05:30
- Are included in a project's member list but cannot be modified.
- Cannot be added to any other project.
When the project access token is [revoked](#revoke-a-project-access-token):
- The bot user is deleted.
2022-04-04 11:22:00 +05:30
- All records are moved to a system-wide user with the username [Ghost User](../../profile/account/delete_account.md#associated-records).
See also [Bot users for groups](../../group/settings/group_access_tokens.md#bot-users-for-groups).