Service Accounts: Consolidated Machine Identity
Architecture blueprint: https://gitlab.com/gitlab-com/content-sites/handbook/-/merge_requests/12302+ ## The Problem Currently, GitLab has multiple inconsistent approaches for non-human authentication: * **Security risks**: Multiple inconsistent authentication methods create vulnerabilities * **Management complexity**: Fragmented token systems are difficult to administer * **Licensing issues**: Current tokens count toward license seats inconsistently * **User confusion**: No unified approach for automated system authentication ## Proposed Solution Implement a unified Service Accounts system to replace the current fragmented approach to non-human authentication in GitLab. ## **Core Development:** * Build a unified service accounts framework to replace multiple inconsistent token types (ScimToken, DeployToken, Project Access Tokens) * Extend service account functionality from group-level to subgroup and project levels * Create new UI/UX for service account management across all GitLab tiers * Implement token lifecycle management and granular permissions * Develop migration paths for existing Project Access Tokens ## **UI/UX Improvements:** * Add "Service accounts" sections under "Manage" (GitLab.com) and "Overview" (Self-managed admin) * Create tabbed interface for managing service accounts and their tokens * Implement inheritance patterns similar to user membership * Build audit trails and "last accessed" tracking ## **Business Impact:** * Reduce security vulnerabilities across GitLab * Lower operational overhead for admins * Optimise licensing costs (service accounts won't count toward seats) * Improve compliance and audit capabilities ## Success Criteria - Admins can create/manage service accounts at appropriate levels - Multiple token types supported per service account - Clear audit trail for service account actions - Migration path for existing Project Access Tokens - Service accounts don't count toward license seat
epic