Use Deploy tokens to read and write to the GitLab Container Registry
Problem to solve
Deploy tokens allow to download (through git clone), or read the container registry images of a project without the need of having a user and a password. However, the current scopes do not allow users to grant push access to the Gitlab Container Registry or Package Registry.
As a workaround, users have been either using a project member's Personal Access Token, which is dangerous as all project members can access shared runners. Or, creating a dedicated, fake user for each project/group, which is difficult to maintain, costs money and can cause issues with LDAP, SSL for some customers.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
Further details
Customer quotes
"We are building images on a server separate from the GitLab CI, these servers need a secure way to handle tokens with push access to the container registry"
Existing scopes
-
read_repository: Allows read-only access to the repository -
read_registry: Allows read-only access to the Container Registry
Proposal
Expand the scope of GitLab's Deploy tokens to writing to the GitLab Container Registry.
Scopes
-
read_repository: Allows read-only access to the repository -
read_registry: Allows read-only access to the Container Registry -
write_registry: Allows write access to the Container Registry
Iteration
- This issue will focus on the Container Registry, #213566 (closed) will address adding new scopes for the Package Registry.
MR Breakdown
| MR | Title | Aspects |
|---|---|---|
| 1 | Container Registry write access support with a Deploy Token | backend, Category:Container Registry |
| 2 | Add the additional scopes to the UI | frontend |
| 3 | NPM API authentication with a Deploy Token | backend, ~"NPM Registry", Category:Package Registry |
| 4 | Maven API authentication with a Deploy Token | backend, Maven Repository, Category:Package Registry |
| 5 | Conan API authentication with a Deploy Token | backend, Conan Repository, Category:Package Registry |
| 6 | NuGet API authentication with a Deploy Token | backend, NuGet Repository, Category:Package Registry |
| 7 | PyPI API authentication with a Deploy Token | backend, PyPI Repository, Category:Package Registry |
User Interface
The additional scopes should be added to the user interface, with the below language. Users can create deploy tokens by:
User flow
- Log in to your GitLab account.
- Go to the project (or group) you want to create Deploy Tokens for.
- Go to Settings > CI / CD.
- Click on “Expand” on Deploy Tokens section.
- Choose a name, expiry date (optional), and username (optional) for the token.
- Choose the desired scopes.
- Click on Create deploy token.
- Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.
API
Users can also view, create and update Deploy tokens via the Gitlab API. As we add these new scopes, the API will also accept them as parameters.
What does success look like, and how can we measure that?
Users can create Deploy tokens that allow them more control over the Container and Package registries.
Metrics
- Count the number of Deploy tokens created with each available scope.
- Count number of Deploy tokens deleted with each available scope
Permissions and Security
- There are no permissions changes required for this change.
Documentation
- Update the Deploy Tokens documentation
- Update the Deploy Tokens API documentation](https://docs.gitlab.com/ee/api/deploy_tokens.html)