Instance level key rotation governance
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Companies often have policies around secrets management and key rotation. To ensure security, we want to users to commit to key/token rotation on their accounts. GitLab EE currently doesn't have a way to enforce user account key rotation.
Further details
My team would like to be able to enforce key rotation for our instance by requiring that when SSH and personal access tokens are created that they automatically have an expiration date set by the admin team. This is a common security requirement in Enterprises for passwords and SSH and personal access tokens (HTTPS) for auth shouldn't be any different.
Proposal
In the admin settings near authentication be able to set key/token types to have an automatic expiration date that the admin team can set.
What does success look like, and how can we measure that?
We can implement a key rotation policy in the admin settings page and also have custom messages sent by GitLab as reminders to rotate their key.
