Prevent Service Account from Locking

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

Currently it is not possible to sign-in to a GitLab service accounts by design.

However if you attempt to sign-in to a service account using the incorrect password several time is a short space of time it is possible to lock these account. If this is a critically used service account it is possible to cause harm to an org without gaining access to the account. To make matters worse is that since service account do not have 2fa setup the lock is indefinite without manual intervention.

This is especially harmful to GitLab.com customers who do not have the ability to unlock the account themselves and will rely on GitLab.com support to perform this for them.

GitLab.com users If 2FA is not enabled user accounts are locked after three failed sign-in attempts within 24 hours. Accounts remain locked until:

• The next successful sign-in, at which point the user must verify their identity with a code sent to their email.
• GitLab Support verifies the identity of the user and manually unlocks the account.

Propose to change this behaviour to a less destructive means:

• Allow Namespace Owners to unlock the service account
• Allow owners to see audit logs as to the source/cause of the lock
• Allow owners to set Auto Unlock Service account after a predetermined period or disable the lock entirely