Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 43,815
    • Issues 43,815
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,448
    • Merge requests 1,448
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #22743
Closed
Open
Created Jun 13, 2018 by Rasmus Eneman@Pajn

Use Deploy tokens to read and write to the GitLab Container Registry

Problem to solve

Deploy tokens allow to download (through git clone), or read the container registry images of a project without the need of having a user and a password. However, the current scopes do not allow users to grant push access to the Gitlab Container Registry or Package Registry.

As a workaround, users have been either using a project member's Personal Access Token, which is dangerous as all project members can access shared runners. Or, creating a dedicated, fake user for each project/group, which is difficult to maintain, costs money and can cause issues with LDAP, SSL for some customers.

Intended users

  • Delaney (Development Team Lead)
  • Sasha (Software Developer)
  • Devon (DevOps Engineer)
  • Sidney (Systems Administrator)

Further details

Customer quotes

"We are building images on a server separate from the GitLab CI, these servers need a secure way to handle tokens with push access to the container registry"

Existing scopes

  • read_repository: Allows read-only access to the repository
  • read_registry: Allows read-only access to the Container Registry

Proposal

Expand the scope of GitLab's Deploy tokens to writing to the GitLab Container Registry.

Scopes

  • read_repository: Allows read-only access to the repository
  • read_registry: Allows read-only access to the Container Registry
  • write_registry: Allows write access to the Container Registry

Iteration

  • This issue will focus on the Container Registry, #213566 (closed) will address adding new scopes for the Package Registry.
MR Breakdown
MR Title Aspects
1 Container Registry write access support with a Deploy Token backend, Category:Container Registry
2 Add the additional scopes to the UI frontend
3 NPM API authentication with a Deploy Token backend, ~"NPM Registry", Category:Package Registry
4 Maven API authentication with a Deploy Token backend, Maven Repository, Category:Package Registry
5 Conan API authentication with a Deploy Token backend, Conan Repository, Category:Package Registry
6 NuGet API authentication with a Deploy Token backend, NuGet Repository, Category:Package Registry
7 PyPI API authentication with a Deploy Token backend, PyPI Repository, Category:Package Registry

User Interface

The additional scopes should be added to the user interface, with the below language. Users can create deploy tokens by:

User flow
  • Log in to your GitLab account.
  • Go to the project (or group) you want to create Deploy Tokens for.
  • Go to Settings > CI / CD.
  • Click on “Expand” on Deploy Tokens section.
  • Choose a name, expiry date (optional), and username (optional) for the token.
  • Choose the desired scopes.
  • Click on Create deploy token.
  • Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.

API

Users can also view, create and update Deploy tokens via the Gitlab API. As we add these new scopes, the API will also accept them as parameters.

What does success look like, and how can we measure that?

Users can create Deploy tokens that allow them more control over the Container and Package registries.

Metrics

  • Count the number of Deploy tokens created with each available scope.
  • Count number of Deploy tokens deleted with each available scope

Permissions and Security

  • There are no permissions changes required for this change.

Documentation

  • Update the Deploy Tokens documentation
  • Update the Deploy Tokens API documentation](https://docs.gitlab.com/ee/api/deploy_tokens.html)

Availability & Testing

Links / references

  • Issue creating an API for updating Deploy tokens
Edited Apr 06, 2020 by Tim Rizzi
Assignee
Assign to
Time tracking