## Problem Sometimes [Deploy Keys](https://docs.gitlab.com/ee/user/project/deploy_keys) causes a confusion that the key doesn't work in certain condition, for example, git-push fails by [protected branches/tags](https://gitlab.com/gitlab-org/gitlab/-/issues/329742). This is because GitLab evaluates the **creator** of the deploy key if the person has permission to access to the Git-Ref and subsequent processes, such as pipeline runs. However, the point of Deploy Keys is to treat it as **an individual machine user**, so that it should NOT be affected by the creator of the deploy key. For example, deploy keys should keep working even after the creator of the deploy key removed from the project. The current workaround is to ask users to create a service account (a.k.a. a bot user) for deploy keys, but it's a bit cumbersome to do this per project. ## Proposal GitLab now has [the first-class service account](https://gitlab.com/groups/gitlab-org/-/epics/6777) feature, but it can only [create PAT](https://docs.gitlab.com/ee/api/groups.html#create-personal-access-token-for-service-account-user) today. We should allow SA to have [Deploy Keys](https://docs.gitlab.com/ee/user/project/deploy_keys/) as well. ## Related - https://gitlab.com/groups/gitlab-org/-/epics/2587#note_694484465 - https://gitlab.com/gitlab-org/gitlab/-/issues/339873