Allow group owners to define an SSH key expiration

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem to solve

We released the credential inventory in 12.6 and have released several related credential management features, such as PAT expiration and list and revoke PATs via API; however, these features are largely available only for self-managed customers leaving GitLab.com customers in a painful spot for credential management.

Intended users

Cameron (Compliance Manager)
Sidney (Systems Administrator)

User experience goal

A group owner can specify an expiration for SSH keys scoped to their group or projects in their group.

Proposal

Add a field to Group > Settings > Permissions, LFS, 2FA: Maximum allowable lifetime for ssh keys (days)

Further details

Enforcement of this feature should be enabled by default.

Permissions and Security

Add expected impact to Owner (50) members

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖