2019-09-04 21:01:54 +05:30
---
2020-05-24 23:13:21 +05:30
stage: Release
2021-02-22 17:27:13 +05:30
group: Release
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2019-09-04 21:01:54 +05:30
---
2021-03-11 19:13:27 +05:30
# Protected environments **(PREMIUM)**
2019-07-07 11:18:12 +05:30
2021-11-18 22:05:49 +05:30
[Environments ](../environments/index.md ) can be used for both testing and
production reasons.
2019-07-07 11:18:12 +05:30
2021-11-18 22:05:49 +05:30
Because deploy jobs can be raised by different users with different roles, it's
important to be able to protect specific environments from the effects of
unauthorized users.
2019-07-07 11:18:12 +05:30
2021-11-18 22:05:49 +05:30
By default, a protected environment ensures that only people with the
appropriate privileges can deploy to it, keeping the environment safe.
2019-07-07 11:18:12 +05:30
2021-02-22 17:27:13 +05:30
NOTE:
2021-11-18 22:05:49 +05:30
GitLab administrators can use all environments, including protected environments.
2019-07-07 11:18:12 +05:30
2021-09-04 01:27:46 +05:30
To protect, update, or unprotect an environment, you need to have at least the
2022-04-04 11:22:00 +05:30
Maintainer role.
2019-07-07 11:18:12 +05:30
## Protecting environments
2022-10-11 01:57:18 +05:30
Prerequisites:
2023-04-23 21:23:45 +05:30
- When granting the **Allowed to deploy** permission to a group or subgroup, the user configuring the protected environment must be a **direct member** of the group or subgroup to be added. Otherwise, the group or subgroup does not show up in the dropdown list. For more information see [issue #345140 ](https://gitlab.com/gitlab-org/gitlab/-/issues/345140 ).
2022-10-11 01:57:18 +05:30
2019-07-07 11:18:12 +05:30
To protect an environment:
2022-10-11 01:57:18 +05:30
1. On the top bar, select **Main menu > Projects** and find your project.
2021-10-27 15:23:28 +05:30
1. On the left sidebar, select **Settings > CI/CD** .
1. Expand **Protected environments** .
1. From the **Environment** list, select the environment you want to protect.
1. In the **Allowed to deploy** list, select the role, users, or groups you
2019-07-31 22:56:46 +05:30
want to give deploy access to. Keep in mind that:
- There are two roles to choose from:
2021-10-27 15:23:28 +05:30
- **Maintainers**: Allows access to all of the project's users with the Maintainer role.
- **Developers**: Allows access to all of the project's users with the Maintainer and Developer role.
- You can select groups that are already associated with the project only.
- Users must have at least the Developer role to appear in
the **Allowed to deploy** list.
2022-04-04 11:22:00 +05:30
1. In the **Required approvals** list, select the number of approvals required to deploy to this environment.
- Ensure that this number is less than the number of users allowed to deploy.
- See [Deployment Approvals ](deployment_approvals.md ) for more information about this feature.
2021-10-27 15:23:28 +05:30
1. Select **Protect** .
2019-07-07 11:18:12 +05:30
2021-03-08 18:12:59 +05:30
The protected environment now appears in the list of protected environments.
2019-07-07 11:18:12 +05:30
2021-01-29 00:20:46 +05:30
### Use the API to protect an environment
Alternatively, you can use the API to protect an environment:
1. Use a project with a CI that creates an environment. For example:
```yaml
stages:
- test
- deploy
test:
stage: test
script:
- 'echo "Testing Application: ${CI_PROJECT_NAME}"'
production:
stage: deploy
when: manual
script:
- 'echo "Deploying to ${CI_ENVIRONMENT_NAME}"'
2021-04-29 21:17:54 +05:30
environment:
name: ${CI_JOB_NAME}
2021-01-29 00:20:46 +05:30
```
2022-08-27 11:52:29 +05:30
1. Use the UI to [create a new group ](../../user/group/manage.md#create-a-group ).
2021-01-29 00:20:46 +05:30
For example, this group is called `protected-access-group` and has the group ID `9899826` . Note
that the rest of the examples in these steps use this group.
1. Use the API to add a user to the group as a reporter:
```shell
2021-09-04 01:27:46 +05:30
$ curl --request POST --header "PRIVATE-TOKEN: < your_access_token > " \
--data "user_id=3222377& access_level=20" "https://gitlab.com/api/v4/groups/9899826/members"
2021-01-29 00:20:46 +05:30
2022-01-26 12:08:38 +05:30
{"id":3222377,"name":"Sean Carroll","username":"sfcarroll","state":"active","avatar_url":"https://gitlab.com/uploads/-/system/user/avatar/3222377/avatar.png","web_url":"https://gitlab.com/sfcarroll","access_level":20,"created_at":"2020-10-26T17:37:50.309Z","expires_at":null}
2021-01-29 00:20:46 +05:30
```
1. Use the API to add the group to the project as a reporter:
```shell
2021-09-04 01:27:46 +05:30
$ curl --request POST --header "PRIVATE-TOKEN: < your_access_token > " \
--request POST "https://gitlab.com/api/v4/projects/22034114/share?group_id=9899826& group_access=20"
2021-01-29 00:20:46 +05:30
{"id":1233335,"project_id":22034114,"group_id":9899826,"group_access":20,"expires_at":null}
```
1. Use the API to add the group with protected environment access:
```shell
2022-04-04 11:22:00 +05:30
curl --header 'Content-Type: application/json' --request POST --data '{"name": "production", "deploy_access_levels": [{"group_id": 9899826}], "required_approval_count": 0}' \
2021-09-04 01:27:46 +05:30
--header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.com/api/v4/projects/22034114/protected_environments"
2021-01-29 00:20:46 +05:30
```
The group now has access and can be seen in the UI.
2020-11-24 15:15:51 +05:30
## Environment access by group membership
2021-12-11 22:18:48 +05:30
A user may be granted access to protected environments as part of [group membership ](../../user/group/index.md ). Users
2022-04-04 11:22:00 +05:30
with the Reporter role can only be granted access to protected environments with this
2021-12-11 22:18:48 +05:30
method.
2020-11-24 15:15:51 +05:30
## Deployment branch access
2022-04-04 11:22:00 +05:30
Users with the Developer role can be granted
2020-11-24 15:15:51 +05:30
access to a protected environment through any of these methods:
- As an individual contributor, through a role.
- Through a group membership.
If the user also has push or merge access to the branch deployed on production,
they have the following privileges:
2021-10-27 15:23:28 +05:30
- [Stop an environment ](index.md#stop-an-environment ).
2023-04-23 21:23:45 +05:30
- [Delete an environment ](index.md#delete-an-environment ).
2021-12-11 22:18:48 +05:30
- [Create an environment terminal ](index.md#web-terminals-deprecated ).
2020-11-24 15:15:51 +05:30
## Deployment-only access to protected environments
Users granted access to a protected environment, but not push or merge access
2022-07-23 23:45:48 +05:30
to the branch deployed to it, are only granted access to deploy the environment.
2023-03-04 22:38:38 +05:30
[Invited groups ](../../user/project/members/share_project_with_groups.md#share-a-project-with-a-group ) added
2022-11-25 23:54:43 +05:30
to the project with [Reporter role ](../../user/permissions.md#project-members-permissions ), appear in the dropdown list for deployment-only access.
2020-11-24 15:15:51 +05:30
2021-04-17 20:07:23 +05:30
To add deployment-only access:
2022-07-23 23:45:48 +05:30
1. Create a group with members who are granted to access to the protected environment, if it doesn't exist yet.
2023-03-04 22:38:38 +05:30
1. [Invite the group ](../../user/project/members/share_project_with_groups.md#share-a-project-with-a-group ) to the project with the Reporter role.
2021-10-27 15:23:28 +05:30
1. Follow the steps in [Protecting Environments ](#protecting-environments ).
2021-04-17 20:07:23 +05:30
2019-07-07 11:18:12 +05:30
## Modifying and unprotecting environments
Maintainers can:
2019-07-31 22:56:46 +05:30
- Update existing protected environments at any time by changing the access in the
2022-11-25 23:54:43 +05:30
**Allowed to Deploy** dropdown list.
2023-01-13 00:05:48 +05:30
- Unprotect a protected environment by selecting the **Unprotect** button for that environment.
2019-09-04 21:01:54 +05:30
2020-11-24 15:15:51 +05:30
After an environment is unprotected, all access entries are deleted and must
be re-entered if the environment is re-protected.
2020-06-23 00:09:42 +05:30
For more information, see [Deployment safety ](deployment_safety.md ).
2021-09-04 01:27:46 +05:30
## Group-level protected environments
2021-11-18 22:05:49 +05:30
> - Introduced in GitLab 14.0 [with a flag](https://gitlab.com/gitlab-org/gitlab/-/issues/215888) named `group_level_protected_environments`. Disabled by default.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/331085) in GitLab 14.3.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/331085) in GitLab 14.3.
2021-09-04 01:27:46 +05:30
Typically, large enterprise organizations have an explicit permission boundary
between [developers and operators ](https://about.gitlab.com/topics/devops/ ).
Developers build and test their code, and operators deploy and monitor the
2022-05-07 20:08:51 +05:30
application. With group-level protected environments, operators can
restrict access to critical environments from developers. Group-level protected environments
2021-09-04 01:27:46 +05:30
extend the [project-level protected environments ](#protecting-environments )
to the group-level.
The permissions of deployments can be illustrated in the following table:
| Environment | Developer | Operator | Category |
|-------------|------------|----------|----------|
| Development | Allowed | Allowed | Lower environment |
| Testing | Allowed | Allowed | Lower environment |
| Staging | Disallowed | Allowed | Higher environment |
| Production | Disallowed | Allowed | Higher environment |
_(Reference: [Deployment environments on Wikipedia ](https://en.wikipedia.org/wiki/Deployment_environment ))_
### Group-level protected environments names
Contrary to project-level protected environments, group-level protected
environments use the [deployment tier ](index.md#deployment-tier-of-environments )
as their name.
A group may consist of many project environments that have unique names.
For example, Project-A has a `gprd` environment and Project-B has a `Production`
environment, so protecting a specific environment name doesn't scale well.
By using deployment tiers, both are recognized as `production` deployment tier
and are protected at the same time.
### Configure group-level memberships
2022-08-27 11:52:29 +05:30
> - Operators are required to have Owner+ role from the original Maintainer+ role and this role change is introduced from GitLab 15.3 [with a flag](https://gitlab.com/gitlab-org/gitlab/-/issues/369873) named `group_level_protected_environment_settings_permission`. Enabled by default.
2022-11-25 23:54:43 +05:30
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/369873) in GitLab 15.4.
2022-08-27 11:52:29 +05:30
2021-09-04 01:27:46 +05:30
To maximize the effectiveness of group-level protected environments,
[group-level memberships ](../../user/group/index.md ) must be correctly
configured:
2023-03-04 22:38:38 +05:30
- Operators should be given the Owner role
2022-01-26 12:08:38 +05:30
for the top-level group. They can maintain CI/CD configurations for
2021-09-04 01:27:46 +05:30
the higher environments (such as production) in the group-level settings page,
2021-10-27 15:23:28 +05:30
which includes group-level protected environments,
2021-11-18 22:05:49 +05:30
[group-level runners ](../runners/runners_scope.md#group-runners ), and
[group-level clusters ](../../user/group/clusters/index.md ). Those
2021-09-04 01:27:46 +05:30
configurations are inherited to the child projects as read-only entries.
This ensures that only operators can configure the organization-wide
deployment ruleset.
2022-04-04 11:22:00 +05:30
- Developers should be given no more than the Developer role
2023-03-17 16:20:25 +05:30
for the top-level group, or explicitly given the Owner role for a child project.
2022-07-23 23:45:48 +05:30
They do *not* have access to the CI/CD configurations in the
2021-09-04 01:27:46 +05:30
top-level group, so operators can ensure that the critical configuration won't
be accidentally changed by the developers.
2022-11-25 23:54:43 +05:30
- For subgroups and child projects:
- Regarding [subgroups ](../../user/group/subgroups/index.md ), if a higher
2021-09-04 01:27:46 +05:30
group has configured the group-level protected environment, the lower groups
cannot override it.
- [Project-level protected environments ](#protecting-environments ) can be
combined with the group-level setting. If both group-level and project-level
2021-10-27 15:23:28 +05:30
environment configurations exist, to run a deployment job, the user must be allowed in **both**
rulesets.
- In a project or a subgroup of the top-level group, developers can be
2022-04-04 11:22:00 +05:30
safely assigned the Maintainer role to tune their lower environments (such
2021-09-04 01:27:46 +05:30
as `testing` ).
Having this configuration in place:
- If a user is about to run a deployment job in a project and allowed to deploy
to the environment, the deployment job proceeds.
- If a user is about to run a deployment job in a project but disallowed to
deploy to the environment, the deployment job fails with an error message.
2022-05-07 20:08:51 +05:30
### Protect critical environments under a group
2021-09-04 01:27:46 +05:30
2022-07-23 23:45:48 +05:30
To protect a group-level environment, make sure your environments have the correct
[`deployment_tier` ](index.md#deployment-tier-of-environments ) defined in `.gitlab-ci.yml` .
2021-09-04 01:27:46 +05:30
2022-07-23 23:45:48 +05:30
#### Using the UI
2021-09-04 01:27:46 +05:30
2022-07-23 23:45:48 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325249) in GitLab 15.1.
2022-10-11 01:57:18 +05:30
1. On the top bar, select **Main menu > Groups** and find your group.
2022-07-23 23:45:48 +05:30
1. On the left sidebar, select **Settings > CI/CD** .
1. Expand **Protected environments** .
1. From the **Environment** list, select the [deployment tier of environments ](index.md#deployment-tier-of-environments ) you want to protect.
1. In the **Allowed to deploy** list, select the [subgroups ](../../user/group/subgroups/index.md ) you want to give deploy access to.
1. Select **Protect** .
#### Using the API
Configure the group-level protected environments by using the [REST API ](../../api/group_protected_environments.md ).
2021-09-04 01:27:46 +05:30
2022-03-02 08:16:31 +05:30
## Deployment approvals
Protected environments can also be used to require manual approvals before deployments. See [Deployment approvals ](deployment_approvals.md ) for more information.
2022-11-25 23:54:43 +05:30
## Troubleshooting
2019-09-04 21:01:54 +05:30
2022-11-25 23:54:43 +05:30
### Reporter can't run a trigger job that deploys to a protected environment in downstream pipeline
2019-09-04 21:01:54 +05:30
2023-04-23 21:23:45 +05:30
A user who has [deployment-only access to protected environments ](#deployment-only-access-to-protected-environments ) might **not** be able to run a job if it's with a [`trigger` ](../yaml/index.md#trigger ) keyword. This is because the job is missing the [`environment` ](../yaml/index.md#environment ) keyword definition to associate the job with the protected environment, therefore the job is recognized as a standard job that uses [regular CI/CD permission model ](../../user/permissions.md#gitlab-cicd-permissions ).
2022-11-25 23:54:43 +05:30
2023-04-23 21:23:45 +05:30
See [this issue ](https://gitlab.com/groups/gitlab-org/-/epics/8483 ) for more information about supporting `environment` keyword with `trigger` keyword.
