UI for group access tokens
Problem to solve
Broken off of #330718 (closed)
Currently, GitLab customers are creating users instead of bots (since there is no official bot feature in GitLab) to specifically handle the automation of tasks. This is painful for customers for the following reasons:
- Compromised security
- Attaching tokens to a specific user means that that user account has access to the full API, if those account credentials are compromised, the whole instance is potentially in the hands of bad actors
- Additional license costs (further detailed below) causes customers to only create one user for many tasks to save money, which is also a potential security risk
- Cost
- Customers are having to pay not only for additional licenses, but also for the other surrounding costs such as email account provisioning via G-Suite or Office 365 in order for the user to have credentials
- There are users who are uncomfortable with converting to a paid customer due to the anxiety around increased license costs, especially if they are a small team or business with many automated tasks
- Decreased cycle time
- Provisioning bot users is a long and convoluted process for some customers, causing potential delays in getting work done
- If the cost of creating a bot user is too high, users may attempt to manually perform the tasks instead, which is not efficient
- Potential downtime
- If a user who's access token is being used for a task that many depend on gets deleted, this could cause potential disruption and downtime
We already support project level bots, but do not support group level. This is limiting our users since Project Access Tokens do not work at the group level:
Specific use cases:
- Project Access Tokens can't run pipelines if other included YML files come from another private repository of the same group
- They have many projects in one subgroup and are trying to get access for third-party tools to all of them. It is time-consuming to create and manage separate tokens.
-
We’re currently utilizing Jenkins. As part of our CI process we build images. When the image is successfully built, we increment the version number back in the project.
We have numerous repos, and we have to create tokens for every single project. Save those tokens in some place accessible in Jenkins, and then smartly retrieve the correct token for the specific project to increment the version.
Having the ability to use Group tokens would reduce this save/fetch methodology and streamline the CI process.
Proposal
✏ ️ Figma file
Adds the ability to add access tokens scoped to a project (GrAT). Adding GrAT also creates a "Group Bot User" that holds the access token. Revoking an access token removes the "Group Bot User" from the group and deletes the user making it a "Ghost User". This feature will be for self-managed instances only.
Mockup | Proposal |
---|---|
![]() |
![]() |
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.