85 lines
3.9 KiB
Markdown
85 lines
3.9 KiB
Markdown
---
|
|
stage: Manage
|
|
group: Authentication and Authorization
|
|
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
|
|
type: howto
|
|
---
|
|
|
|
# Credentials inventory **(ULTIMATE SELF)**
|
|
|
|
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20912) in GitLab 12.6.
|
|
> - [Bot-created access tokens not displayed in personal access token list](https://gitlab.com/gitlab-org/gitlab/-/issues/351759) in GitLab 14.9.
|
|
|
|
GitLab administrators are responsible for the overall security of their instance. To assist, GitLab
|
|
provides a Credentials inventory to keep track of all the credentials that can be used to access
|
|
their self-managed instance.
|
|
|
|
Use Credentials inventory to see for your GitLab instance all:
|
|
|
|
- Personal access tokens (PAT).
|
|
- Project access tokens (GitLab 14.8 and later).
|
|
- SSH keys.
|
|
- GPG keys.
|
|
|
|
You can also [revoke](#revoke-a-users-personal-access-token) and [delete](#delete-a-users-ssh-key) and see:
|
|
|
|
- Who they belong to.
|
|
- Their access scope.
|
|
- Their usage pattern.
|
|
- When they expire. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214809) in GitLab 13.2.
|
|
- When they were revoked. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214809) in GitLab 13.2.
|
|
|
|
To access the Credentials inventory:
|
|
|
|
1. On the top bar, select **Menu > Admin**.
|
|
1. On the left sidebar, select **Credentials**.
|
|
|
|
## Revoke a user's personal access token
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214811) in GitLab 13.4.
|
|
|
|
If you see a **Revoke** button, you can revoke that user's PAT. Whether you see a **Revoke** button depends on the token state, and if an expiration date has been set. For more information, see the following table:
|
|
|
|
| Token state | Show Revoke button? | Comments |
|
|
|-------------|---------------------|----------------------------------------------------------------------------|
|
|
| Active | Yes | Allows administrators to revoke the PAT, such as for a compromised account |
|
|
| Expired | No | Not applicable; token is already expired |
|
|
| Revoked | No | Not applicable; token is already revoked |
|
|
|
|
When a PAT is revoked from the credentials inventory, the instance notifies the user by email.
|
|
|
|
![Credentials inventory page - Personal access tokens](img/credentials_inventory_personal_access_tokens_v14_9.png)
|
|
|
|
## Revoke a user's project access token
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/243833) in GitLab 14.8.
|
|
|
|
The **Revoke** button next to a project access token can be selected to revoke that particular project access token. This will both:
|
|
|
|
- Revoke the token project access token.
|
|
- Enqueue a background worker to delete the project bot user.
|
|
|
|
![Credentials inventory page - Project access tokens](img/credentials_inventory_project_access_tokens_v14_9.png)
|
|
|
|
## Delete a user's SSH key
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225248) in GitLab 13.5.
|
|
|
|
You can **Delete** a user's SSH key by navigating to the credentials inventory's SSH Keys tab.
|
|
The instance then notifies the user.
|
|
|
|
![Credentials inventory page - SSH keys](img/credentials_inventory_ssh_keys_v14_9.png)
|
|
|
|
## Review existing GPG keys
|
|
|
|
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/282429) in GitLab 13.10.
|
|
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292961) in GitLab 13.12.
|
|
|
|
You can view all existing GPG in your GitLab instance by navigating to the
|
|
credentials inventory GPG Keys tab, as well as the following properties:
|
|
|
|
- Who the GPG key belongs to.
|
|
- The ID of the GPG key.
|
|
- Whether the GPG key is [verified or unverified](../project/repository/gpg_signed_commits/index.md)
|
|
|
|
![Credentials inventory page - GPG keys](img/credentials_inventory_gpg_keys_v14_9.png)
|