Skip to content

`write_registry` permission to Deploy Tokens

Problem to solve

We are building images on server separate from the GitLab CI, these servers need a secure way to handle tokens with push access to the container registry

Further details

Using a project members PAT is dangerous as all project members can access the shared servers. Using a dedicated user for each project is hard to maintain.

Proposal

Add a write_registry permission to Deploy Tokens so that we easily can create a token with the access we need for a single project only.

What does success look like, and how can we measure that?

I can create a Deploy Token with write_registry, log in to with with docker login and push images to the correct project.

Links / references

I write a comment in #23322 (closed) but a smaller, focused issue is often easier to deal with which is why I also created this issue