Use Deploy tokens to read and write to the GitLab Package Registry
Problem to solve
Deploy Tokens allow you to access your group and project's repositories and container registries. However, the defined scopes of read_repository, read_registry, and write_registry have not allowed you to grant access to the GitLab Package Registry. As a result, DevOps teams have used insecure or expensive user based workarounds.
As a workaround, users have been either using a project member's Personal Access Token, which is dangerous as all project members can access shared runners. Or, creating a dedicated, fake user for each project/group, which is difficult to maintain, costs money and can cause issues with LDAP, SSL for some customers.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
Further details
Customer quotes
"We are building images on a server separate from the GitLab CI, these servers need a secure way to handle tokens with push access to the registry"
Existing scopes
-
read_repository: Allows read-only access to the repository -
read_registry: Allows read-only access to the Container Registry
Proposal
Expand the scope of GitLab's Deploy tokens to allow reading and writing to the GitLab Package Registry.
Iteration
- This issue will focus on the Package Registry, #22743 (closed) addressed adding new scopes for the Container Registry.
MR Breakdown
| MR | Title | Aspects |
|---|---|---|
| 1 | Container Registry write access support with a Deploy Token | backend, Category:Container Registry |
| 2 | Add the additional scopes to the UI | frontend |
| 3 | NPM API authentication with a Deploy Token | backend, ~"NPM Registry", Category:Package Registry |
| 4 | Maven API authentication with a Deploy Token | backend, Maven Repository, Category:Package Registry |
| 5 | Conan API authentication with a Deploy Token | backend, Conan Repository, Category:Package Registry |
| 6 | NuGet API authentication with a Deploy Token | backend, NuGet Repository, Category:Package Registry |
| 7 | PyPI API authentication with a Deploy Token | backend, PyPI Repository, Category:Package Registry |
Scopes
-
read_repository: Allows read-only access to the repository -
read_container_registry: Allows read-only access to the Container Registry -
write_container_registry: Allows write access to the Container Registry -
read_package_registry: Allows read-only access to the Package Registry -
write_package_registry: Allows write access to the Package Registry
User Interface
The additional scopes should be added to the user interface, with the below language. Users can create deploy tokens by:
User flow
- Log in to your GitLab account.
- Go to the project (or group) you want to create Deploy Tokens for.
- Go to Settings > CI / CD.
- Click on “Expand” on Deploy Tokens section.
- Choose a name, expiry date (optional), and username (optional) for the token.
- Choose the desired scopes.
- Click on Create deploy token.
- Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.
API
Users can also view, create and update Deploy tokens via the Gitlab API. As we add these new scopes, the API will also accept them as parameters.
What does success look like, and how can we measure that?
Users can create Deploy tokens that allow them more control over the Container and Package registries.
Metrics
- Count the number of Deploy tokens created with each available scope.
- Count number of Deploy tokens deleted with each available scope
Permissions and Security
- There are no permissions changes required for this change.
Documentation
- Update the Deploy Tokens documentation
- Update the Deploy Tokens API documentation](https://docs.gitlab.com/ee/api/deploy_tokens.html)