Service Accounts: Consolidated Machine Identity
Architecture blueprint: https://gitlab.com/gitlab-com/content-sites/handbook/-/merge_requests/12302+
## The Problem
Currently, GitLab has multiple inconsistent approaches for non-human authentication:
* **Security risks**: Multiple inconsistent authentication methods create vulnerabilities
* **Management complexity**: Fragmented token systems are difficult to administer
* **Licensing issues**: Current tokens count toward license seats inconsistently
* **User confusion**: No unified approach for automated system authentication
## Proposed Solution
Implement a unified Service Accounts system to replace the current fragmented approach to non-human authentication in GitLab.
## **Core Development:**
* Build a unified service accounts framework to replace multiple inconsistent token types (ScimToken, DeployToken, Project Access Tokens)
* Extend service account functionality from group-level to subgroup and project levels
* Create new UI/UX for service account management across all GitLab tiers
* Implement token lifecycle management and granular permissions
* Develop migration paths for existing Project Access Tokens
## **UI/UX Improvements:**
* Add "Service accounts" sections under "Manage" (GitLab.com) and "Overview" (Self-managed admin)
* Create tabbed interface for managing service accounts and their tokens
* Implement inheritance patterns similar to user membership
* Build audit trails and "last accessed" tracking
## **Business Impact:**
* Reduce security vulnerabilities across GitLab
* Lower operational overhead for admins
* Optimise licensing costs (service accounts won't count toward seats)
* Improve compliance and audit capabilities
## Success Criteria
- Admins can create/manage service accounts at appropriate levels
- Multiple token types supported per service account
- Clear audit trail for service account actions
- Migration path for existing Project Access Tokens
- Service accounts don't count toward license seat
epic