2020-06-23 00:09:42 +05:30
---
stage: Release
2021-02-22 17:27:13 +05:30
group: Release
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-06-23 00:09:42 +05:30
---
2021-04-29 21:17:54 +05:30
# Deploy tokens
2018-05-09 12:01:36 +05:30
2020-06-23 00:09:42 +05:30
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199370) from **Settings > Repository** in GitLab 12.9.
2020-04-22 19:07:51 +05:30
> - [Added `write_registry` scope](https://gitlab.com/gitlab-org/gitlab/-/issues/22743) in GitLab 12.10.
2021-04-17 20:07:23 +05:30
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/29280) from **Settings > CI/CD** in GitLab 12.10.1.
2020-07-28 23:09:34 +05:30
> - [Added package registry scopes](https://gitlab.com/gitlab-org/gitlab/-/issues/213566) in GitLab 13.0.
2018-05-09 12:01:36 +05:30
2021-01-29 00:20:46 +05:30
Deploy tokens allow you to download (`git clone`) or push and pull packages and
container registry images of a project without having a user and a password.
2018-05-09 12:01:36 +05:30
2020-04-08 14:13:33 +05:30
Deploy tokens can be managed by [maintainers only ](../../permissions.md ).
2021-02-22 17:27:13 +05:30
Deploy tokens cannot be used with the GitLab API.
2021-10-27 15:23:28 +05:30
Deploy tokens are tied to the project and stay enabled even when the user who created the token is removed from the project.
2021-04-17 20:07:23 +05:30
If you have a key pair, you might want to use [deploy keys ](../../project/deploy_keys/index.md )
2021-01-29 00:20:46 +05:30
instead.
2018-05-09 12:01:36 +05:30
2021-04-29 21:17:54 +05:30
## Creating a Deploy token
2018-05-09 12:01:36 +05:30
2021-01-29 00:20:46 +05:30
You can create as many deploy tokens as you need from the settings of your
project. Alternatively, you can also create [group-scoped deploy tokens ](#group-deploy-token ).
2018-05-09 12:01:36 +05:30
2021-01-29 00:20:46 +05:30
1. Sign in to your GitLab account.
2021-12-11 22:18:48 +05:30
1. On the top bar, select **Menu > Projects** or **Menu > Groups** to find your project or group.
1. On the left sidebar, select **Settings > Repository** .
1. Expand **Deploy tokens** .
1. Choose a name, and optionally, an expiration date and username for the token.
2018-05-09 12:01:36 +05:30
1. Choose the [desired scopes ](#limiting-scopes-of-a-deploy-token ).
2021-01-29 00:20:46 +05:30
1. Select **Create deploy token** .
2021-12-11 22:18:48 +05:30
Save the deploy token somewhere safe. After you leave or refresh
the page, **you can't access it again** .
2018-05-09 12:01:36 +05:30
2021-02-22 17:27:13 +05:30
![Personal access tokens page ](img/deploy_tokens_ui.png )
2018-05-09 12:01:36 +05:30
2020-04-08 14:13:33 +05:30
## Deploy token expiration
2021-01-29 00:20:46 +05:30
Deploy tokens expire at midnight UTC on the date you define.
2020-04-08 14:13:33 +05:30
2018-10-15 14:42:47 +05:30
## Revoking a deploy token
2018-05-09 12:01:36 +05:30
2021-12-11 22:18:48 +05:30
To revoke a deploy token:
1. On the top bar, select **Menu > Projects** or **Menu > Groups** to find your project or group.
1. On the left sidebar, select **Settings > Repository** .
1. Expand **Deploy tokens** .
1. In the **Active Deploy Tokens** section, by the token you want to revoke, select **Revoke** .
2018-05-09 12:01:36 +05:30
## Limiting scopes of a deploy token
2021-01-29 00:20:46 +05:30
Deploy tokens can be created with different scopes that allow various actions
that a given token can perform. The available scopes are depicted in the
following table along with GitLab version it was introduced in:
2018-05-09 12:01:36 +05:30
2021-01-29 00:20:46 +05:30
| Scope | Description | Introduced in GitLab Version |
|--------------------------|-------------|------------------------------|
2021-11-18 22:05:49 +05:30
| `read_repository` | Allows read-access to the repository through `git clone` | -- |
| `read_registry` | Allows read-access to [container registry ](../../packages/container_registry/index.md ) images if a project is private and authorization is required. | -- |
2021-01-29 00:20:46 +05:30
| `write_registry` | Allows write-access (push) to [container registry ](../../packages/container_registry/index.md ). | 12.10 |
| `read_package_registry` | Allows read access to the package registry. | 13.0 |
2020-07-28 23:09:34 +05:30
| `write_package_registry` | Allows write access to the package registry. | 13.0 |
2018-05-09 12:01:36 +05:30
2019-09-30 21:07:59 +05:30
## Deploy token custom username
2020-03-13 15:44:24 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/29639) in GitLab 12.1.
2019-09-30 21:07:59 +05:30
2021-03-11 19:13:27 +05:30
The default username format is `gitlab+deploy-token-{n}` . Some tools or
2021-01-29 00:20:46 +05:30
platforms may not support this format; in this case you can specify a custom
username to be used when creating the deploy token.
2019-09-30 21:07:59 +05:30
2018-05-09 12:01:36 +05:30
## Usage
### Git clone a repository
2021-04-29 21:17:54 +05:30
To download a repository using a deploy token:
2018-05-09 12:01:36 +05:30
2021-04-29 21:17:54 +05:30
1. Create a deploy token with `read_repository` as a scope.
2019-02-15 15:39:39 +05:30
1. Take note of your `username` and `token` .
2021-04-29 21:17:54 +05:30
1. `git clone` the project using the deploy token:
2018-05-09 12:01:36 +05:30
2020-03-13 15:44:24 +05:30
```shell
2020-05-24 23:13:21 +05:30
git clone https://< username > :< deploy_token > @gitlab.example.com/tanuki/awesome_project.git
2019-09-30 21:07:59 +05:30
```
2018-05-09 12:01:36 +05:30
2018-12-13 13:39:08 +05:30
Replace `<username>` and `<deploy_token>` with the proper values.
2018-05-09 12:01:36 +05:30
2018-12-13 13:39:08 +05:30
### Read Container Registry images
2018-05-09 12:01:36 +05:30
2021-03-08 18:12:59 +05:30
To read the container registry images, you must:
2018-05-09 12:01:36 +05:30
2021-04-29 21:17:54 +05:30
1. Create a deploy token with `read_registry` as a scope.
2019-02-15 15:39:39 +05:30
1. Take note of your `username` and `token` .
2021-02-22 17:27:13 +05:30
1. Sign in to the GitLab Container Registry using the deploy token:
2018-05-09 12:01:36 +05:30
2020-03-13 15:44:24 +05:30
```shell
2019-12-21 20:55:43 +05:30
docker login -u < username > -p < deploy_token > registry.example.com
2018-05-09 12:01:36 +05:30
```
2021-01-29 00:20:46 +05:30
Replace `<username>` and `<deploy_token>` with the proper values. You can now
2018-05-09 12:01:36 +05:30
pull images from your Container Registry.
2020-04-22 19:07:51 +05:30
### Push Container Registry images
2020-07-28 23:09:34 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22743) in GitLab 12.10.
2021-03-08 18:12:59 +05:30
To push the container registry images, you must:
2020-04-22 19:07:51 +05:30
2021-04-29 21:17:54 +05:30
1. Create a deploy token with `write_registry` as a scope.
2020-04-22 19:07:51 +05:30
1. Take note of your `username` and `token` .
2021-02-22 17:27:13 +05:30
1. Sign in to the GitLab Container Registry using the deploy token:
2020-04-22 19:07:51 +05:30
```shell
docker login -u < username > -p < deploy_token > registry.example.com
```
2021-01-29 00:20:46 +05:30
Replace `<username>` and `<deploy_token>` with the proper values. You can now
2020-04-22 19:07:51 +05:30
push images to your Container Registry.
2020-05-24 23:13:21 +05:30
### Read or pull packages
2020-07-28 23:09:34 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213566) in GitLab 13.0.
2021-03-08 18:12:59 +05:30
To pull packages in the GitLab package registry, you must:
2020-05-24 23:13:21 +05:30
2021-04-29 21:17:54 +05:30
1. Create a deploy token with `read_package_registry` as a scope.
2020-05-24 23:13:21 +05:30
1. Take note of your `username` and `token` .
2021-01-29 00:20:46 +05:30
1. For the [package type of your choice ](../../packages/index.md ), follow the
authentication instructions for deploy tokens.
2020-05-24 23:13:21 +05:30
2021-06-08 01:23:25 +05:30
Example request publishing a NuGet package using a deploy token:
2021-04-17 20:07:23 +05:30
```shell
2021-06-08 01:23:25 +05:30
nuget source Add -Name GitLab -Source "https://gitlab.example.com/api/v4/projects/10/packages/nuget/index.json" -UserName deploy-token-username -Password 12345678asdf
2021-04-17 20:07:23 +05:30
2021-06-08 01:23:25 +05:30
nuget push mypkg.nupkg -Source GitLab
2021-04-17 20:07:23 +05:30
```
2020-05-24 23:13:21 +05:30
### Push or upload packages
2020-07-28 23:09:34 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213566) in GitLab 13.0.
2021-03-08 18:12:59 +05:30
To upload packages in the GitLab package registry, you must:
2020-05-24 23:13:21 +05:30
2021-04-29 21:17:54 +05:30
1. Create a deploy token with `write_package_registry` as a scope.
2020-05-24 23:13:21 +05:30
1. Take note of your `username` and `token` .
2021-01-29 00:20:46 +05:30
1. For the [package type of your choice ](../../packages/index.md ), follow the
authentication instructions for deploy tokens.
2020-05-24 23:13:21 +05:30
2021-04-29 21:17:54 +05:30
### Group deploy token
2020-04-08 14:13:33 +05:30
2020-06-23 00:09:42 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/21765) in GitLab 12.9.
2020-04-08 14:13:33 +05:30
A deploy token created at the group level can be used across all projects that
belong either to the specific group or to one of its subgroups.
2020-05-24 23:13:21 +05:30
< i class = "fa fa-youtube-play youtube" aria-hidden = "true" > < / i >
For an overview, see [Group Deploy Tokens ](https://youtu.be/8kxTJvaD9ks ).
2021-04-29 21:17:54 +05:30
The Group deploy tokens UI is now accessible under **Settings > Repository** ,
2021-02-22 17:27:13 +05:30
not **Settings > CI/CD** as indicated in the video.
2020-04-08 14:13:33 +05:30
To use a group deploy token:
1. [Create ](#creating-a-deploy-token ) a deploy token for a group.
1. Use it the same way you use a project deploy token when
[cloning a repository ](#git-clone-a-repository ).
2021-03-08 18:12:59 +05:30
The scopes applied to a group deploy token (such as `read_repository` )
2020-04-08 14:13:33 +05:30
apply consistently when cloning the repository of related projects.
2021-10-27 15:23:28 +05:30
### Pull images from the Dependency Proxy
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/280586) in GitLab 14.2.
To pull images from the Dependency Proxy, you must:
1. Create a group deploy token with both `read_registry` and `write_registry` scopes.
1. Take note of your `username` and `token` .
2021-11-11 11:23:49 +05:30
1. Follow the Dependency Proxy [authentication instructions ](../../packages/dependency_proxy/index.md ).
2021-10-27 15:23:28 +05:30
2021-04-29 21:17:54 +05:30
### GitLab deploy token
2018-10-15 14:42:47 +05:30
2021-04-29 21:17:54 +05:30
There's a special case when it comes to deploy tokens. If a user creates one
named `gitlab-deploy-token` , the username and token of the deploy token is
2021-04-17 20:07:23 +05:30
automatically exposed to the CI/CD jobs as CI/CD variables: `CI_DEPLOY_USER`
2021-01-29 00:20:46 +05:30
and `CI_DEPLOY_PASSWORD` , respectively.
2018-12-13 13:39:08 +05:30
2021-01-29 00:20:46 +05:30
After you create the token, you can sign in to the Container Registry by using
2018-12-13 13:39:08 +05:30
those variables:
2020-03-13 15:44:24 +05:30
```shell
2018-12-13 13:39:08 +05:30
docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
```
2020-05-24 23:13:21 +05:30
2021-02-22 17:27:13 +05:30
NOTE:
2021-04-17 20:07:23 +05:30
The special handling for the `gitlab-deploy-token` deploy token is not
implemented for group deploy tokens. To make the group-level deploy token available for
2021-09-04 01:27:46 +05:30
CI/CD jobs, the `CI_DEPLOY_USER` and `CI_DEPLOY_PASSWORD` variables should be set under **Settings** to the name and token of the group deploy token respectively.
2021-11-18 22:05:49 +05:30
## Troubleshooting
### Group deploy tokens and LFS
A bug
[prevents Group Deploy Tokens from cloning LFS objects ](https://gitlab.com/gitlab-org/gitlab/-/issues/235398 ).
If you receive `404 Not Found` errors and this error,
use a Project Deploy Token to work around the bug:
```plaintext
api error: Repository or object not found:
https://< URL-with-token > .git/info/lfs/objects/batch
Check that it exists and that you have proper access to it
```