Create a service account for project-level Deploy Keys

Problem

Sometimes Deploy Keys causes a confusion that the key doesn't work in certain condition, for example, git-push fails by protected branches/tags. This is because GitLab evaluates the creator of the deploy key if the person has permission to access to the Git-Ref and subsequent processes, such as pipeline runs.

However, the point of Deploy Keys is to treat it as an individual machine user, so that it should NOT be affected by the creator of the deploy key. For example, deploy keys should keep working even after the creator of the deploy key removed from the project.

The current workaround is to ask users to create a service account (a.k.a. a bot user) for deploy keys, but it's a bit cumbersome to do this per project.

Proposal

As we discussed in this epic, we introduce a feature to automate the following tasks:

• Create a user (as a service account) and add it to the project as maintainer.
• Create a deploy key as the user.
• The registered SSH key works all the time.

A few notes:

• GitLab-created service accounts are excluded from Billable users. See https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#bot-users-for-projects

Related

• &2587 (comment 694484465)
• #339873 (closed)