Commit d9644141 authored by Suzanne Selhorn's avatar Suzanne Selhorn

Merge branch 'russell/ctrt-deploy-keys' into 'master'

Structure deploy keys page to CTRT standards

See merge request gitlab-org/gitlab!81351
parents 6b65ee6f 1ee7d391
...@@ -2,186 +2,145 @@ ...@@ -2,186 +2,145 @@
stage: Release stage: Release
group: Release group: Release
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
type: howto, reference
--- ---
# Deploy keys **(FREE)** # Deploy keys **(FREE)**
Deploy keys allow read-only or read-write access to your Use deploy keys to access repositories that are hosted in GitLab. In most cases, you use deploy keys
repositories by importing an SSH public key into your GitLab instance. to access a repository from an external host, like a build server or Continuous Integration (CI) server.
Deploy keys streamline interactions between your GitLab repository and another Depending on your needs, you might want to use a [deploy token](../deploy_tokens/) to access a repository instead.
machine. For example, setting up a deploy key allows secure cloning of your
repositories to a Continuous Integration (CI) server without setting up a fake
user account.
There are two types of deploy keys: | Attribute | Deploy key | Deploy token |
|------------------|-------------|--------------|
| Sharing | Shareable between multiple projects, even those in different groups. | Belong to a project or group. |
| Source | Public SSH key generated on an external host. | Generated on your GitLab instance, and is provided to users only at creation time. |
| Validity | Valid as long as it's registered and enabled. | Can be given an expiration date. |
| Registry access | Cannot access a package registry. | Can read from and write to a package registry. |
- [Project deploy keys](#project-deploy-keys) ## Scope
- [Public deploy keys](#public-deploy-keys)
## Key details on deploy keys A deploy key has a defined scope when it is created:
Deploy keys allow a remote machine (VM, physical, and so on) to access a GitLab - **Project deploy key:** Access is limited to the selected project.
repository with just a few steps. If you want a remote machine to interact with a GitLab - **Public deploy key:** Access can be granted to _any_ project in a GitLab instance. Access to each
repository in automation, it's a simple solution. project must be [granted](#grant-project-access-to-a-public-deploy-key) by a user with at least
the Maintainer role.
A drawback is that your repository could become vulnerable if a remote machine is compromised You cannot change a deploy key's scope after creating it.
by a hacker. You should limit access to the remote machine before a deploy key is
enabled on your repository. A good rule to follow is to provide access only to trusted users,
and make sure that the allowed users have at least the Maintainer role
in the GitLab project.
If this security implication is a concern for your organization, ## Permissions
[Deploy Tokens](../deploy_tokens/index.md) works as an alternative, but with more
security control.
## Deploy keys permissions A deploy key is given a permission level when it is created:
You can choose the access level of a deploy key when you enable it on a project: - **Read-only:** A read-only deploy key can only read from the repository.
- **Read-write:** A read-write deploy key can read from, and write to, the repository.
- `read-only`: The deploy key can read a repository. You can change a deploy key's permission level after creating it. Changing a project deploy key's
- `read-write`: The deploy key can read a repository and write to it. permissions only applies for the current project.
Project maintainers and owners can activate and deactivate deploy keys. When a read-write deploy key is used to push a commit, GitLab checks if the creator of the
They can also add their own deploy keys and enable them for this project. deploy key has permission to access the resource.
When a `write-access` deploy key is used to push a commit, GitLab checks if For example:
the **creator** of the deploy key has permission to access the resource. For example:
- When a deploy key is used to push a commit to a [protected branch](../protected_branches.md), - When a deploy key is used to push a commit to a [protected branch](../protected_branches.md),
the **creator** of the deploy key must have access to the branch. the _creator_ of the deploy key must have access to the branch.
- When a deploy key is used to push a commit that triggers a CI/CD pipelines, the **creator** of - When a deploy key is used to push a commit that triggers a CI/CD pipeline, the _creator_ of the
the deploy key must have access to the CI/CD resources (like protected environments, secret variables, and so on). deploy key must have access to the CI/CD resources, including protected environments and secret
- If the **creator** of a deploy key does not have permissions to read a project's variables.
repository, the deploy key _might_ encounter an error during the process.
## Differences between deploy keys and deploy tokens ## View deploy keys
Both deploy keys and [deploy tokens](../deploy_tokens/index.md#deploy-tokens) can To view the deploy keys available to a project:
help you access a repository, but there are some notables differences between them:
- Deploy keys are shareable between projects that are not related or don't even
belong to the same group. Deploy tokens belong to either a project or
[a group](../deploy_tokens/index.md#group-deploy-token).
- A deploy key is an SSH key you generate on the **remote machine**. A deploy
token, on the other hand, is generated by your **GitLab instance**, and is
provided to users only once (at creation time).
- A deploy key is valid as long as it's registered and enabled. Deploy tokens
can be time-sensitive, as you can control their validity by setting an
expiration date to them.
- You can't log in to a registry with deploy keys, or perform read / write operations
on it, but this [is possible with deploy tokens](../deploy_tokens/index.md#gitlab-deploy-token).
- You need an SSH key pair to use deploy keys, but not deploy tokens.
## How to enable deploy keys
### Project deploy keys
[Project maintainers and owners](../../permissions.md#project-members-permissions)
can add or enable a deploy key for a project repository:
1. On the top bar, select **Menu > Projects** and find your project. 1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Repository**. 1. On the left sidebar, select **Settings > Repository**.
1. Expand **Deploy keys**. 1. Expand **Deploy keys**.
1. Specify a title for the new deploy key and paste your public SSH key.
1. Optional. To allow `read-write` access, select the **Grant write permissions to this key** checkbox. Leave it unchecked for `read-only` access.
There are three lists of project deploy keys: The deploy keys available are listed:
- Enabled deploy keys - **Enabled deploy keys:** Deploy keys that have access to the project.
- Privately accessible deploy keys - **Privately accessible deploy keys:** Project deploy keys that don't have access to the project.
- Public accessible deploy keys - **Public accessible deploy keys:** Public deploy keys that don't have access to the project.
![Deploy keys section](img/deploy_keys_v13_0.png) ## Create a project deploy key
After you add a key, it's enabled for this project by default and it appears Prerequisites:
in the **Enabled deploy keys** tab.
In the **Privately accessible deploy keys** tab, you can enable a private key which - You must have at least the Maintainer role for the project.
has been already imported in a different project. If you have access to these keys, - [Generate an SSH key pair](../../../ssh/index.md#generate-an-ssh-key-pair). Put the private SSH
it's because you have either: key on the host that requires access to the repository.
- Previously uploaded the keys yourself in a different project. 1. On the top bar, select **Menu > Projects** and find your project.
- You are a maintainer or owner of the other project where the keys were imported. 1. On the left sidebar, select **Settings > Repository**.
1. Expand **Deploy keys**.
In the **Publicly accessible deploy keys** tab, you can enable 1. Complete the fields.
keys that were [made available to your entire GitLab instance](#public-deploy-keys). 1. Optional. To grant `read-write` permission, select the **Grant write permissions to this key**
checkbox.
After a key is added, you can edit it to update its title, or switch between `read-only` A project deploy key is enabled when it is created. You can modify only a project deploy key's
and `read-write` access. name and permissions.
NOTE: ## Create a public deploy key
If you have enabled a privately or publicly accessible or deploy key for your
project, and if you then update the access level for this key from `read-only` to
`read-write`, the change is only for the **current project**.
### Public deploy keys Prerequisites:
Public deploy keys allow `read-only` or `read-write` access to any repository in - You must have administrator access.
your GitLab instance. This allows for the integration of your repositories to - [Generate an SSH key pair](../../../ssh/index.md#generate-an-ssh-key-pair). Put the private SSH
secure, shared services, such as CI/CD. key on the host that requires access to the repository.
Instance administrators can add public deploy keys: To create a public deploy key:
1. On the top bar, select **Menu > Admin**. 1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Deploy Keys**. 1. On the left sidebar, select **Deploy Keys**.
1. Select **New deploy key**. 1. Select **New deploy key**.
1. Complete the fields.
- Use a meaningful description for **Name**. For example, include the name of the external host
or application that will use the public deploy key.
Make sure your new key has a meaningful title. This title is the primary You can modify only a public deploy key's name.
way for project maintainers and owners to identify the correct public deploy key
to add to a repository or project. For example, the key you set up might be
intended to give access to a SaaS CI/CD instance. In this case use the name of
that service in the key title if that is all the key is used for.
![Public deploy keys section](img/public_deploy_key_v13_0.png) ## Grant project access to a public deploy key
After adding a key, it's available to any shared system. Users with a maintainer role or Prerequisites:
higher can [authorize a public deploy key](#project-deploy-keys) to start using
it with the project.
NOTE: - You must have at least the Maintainer role for the project.
The **Publicly accessible deploy keys** tab in a Project's CI/CD
settings only appears if there is at least one Public deploy key configured.
Public deploy keys can provide greater security compared to project deploy keys. To grant a public deploy key access to a project:
This is because the administrator of the target integrated system is the only
entity who needs to know or configure the key value.
When creating a Public deploy key, consider what scope and permissions are 1. On the top bar, select **Menu > Projects** and find your project.
required for it across the entire GitLab instance. For very narrow usage, such 1. On the left sidebar, select **Settings > Repository**.
as a single specific service, a `read-only` deploy key tied to this service is 1. Expand **Deploy keys**.
best. If the service entails broader usage across the instance, a 1. Select **Publicly accessible deploy keys**.
deploy key with full `read-write` access is more appropriate. 1. In the key's row, select **Enable**.
1. To grant read-write permission to the public deploy key:
1. In the key's row, select **Edit** (**{pencil}**).
1. Select the **Grant write permissions to this key** checkbox.
## Revoke project access of a deploy key
WARNING: To revoke a deploy key's access to a project, you can disable it. Any service that relies on
Adding a public deploy key **does not** immediately expose any repository a deploy key stops working when the key is disabled.
to the remote machine. Access to a project is only given when a project
maintainer chooses to make use of a deploy key in the project's
configuration.
## How to disable deploy keys Prerequisites:
[Project maintainers and owners](../../permissions.md#project-members-permissions) - You must have at least the Maintainer role for the project.
can remove or disable a deploy key for a project repository:
To disable a deploy key:
1. On the top bar, select **Menu > Projects** and find your project. 1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Repository**. 1. On the left sidebar, select **Settings > Repository**.
1. Expand **Deploy keys**. 1. Expand **Deploy keys**.
1. Select **Disable** (**{cancel}**). 1. Select **Disable** (**{cancel}**).
NOTE: What happens to the deploy key when it is disabled depends on the following:
Any service that relies on a deploy key stops working after that key is removed.
If the key is **publicly accessible**, it is removed from the project, but can
still be found under **Publicly accessible deploy keys**.
If the key is **privately accessible** and only in use by this project, it is
deleted entirely from GitLab on removal.
If the key is **privately accessible** and also in use by other projects, it is - If the key is publicly accessible, it is removed from the project but still available in the
removed from the project, but still available under **Privately accessible **Publicly accessible deploy keys** tab.
deploy keys**. - If the key is privately accessible and only in use by this project, it is deleted.
- If the key is privately accessible and also in use by other projects, it is removed from the
project, but still available in the **Privately accessible deploy keys** tab.
## Troubleshooting ## Troubleshooting
...@@ -192,7 +151,7 @@ branch](../protected_branches.md). ...@@ -192,7 +151,7 @@ branch](../protected_branches.md).
- The owner associated to a deploy key does not have access to the protected branch. - The owner associated to a deploy key does not have access to the protected branch.
- The owner associated to a deploy key does not have [membership](../members/index.md) to the project of the protected branch. - The owner associated to a deploy key does not have [membership](../members/index.md) to the project of the protected branch.
- **No one** is selected in [the "Allowed to push" section](../protected_branches.md#configure-a-protected-branch) of the protected branch. - **No one** is selected in [the **Allowed to push** section](../protected_branches.md#configure-a-protected-branch) of the protected branch.
All deploy keys are associated to an account. Since the permissions for an account can change, this might lead to scenarios where a deploy key that was working is suddenly unable to push to a protected branch. All deploy keys are associated to an account. Since the permissions for an account can change, this might lead to scenarios where a deploy key that was working is suddenly unable to push to a protected branch.
......
...@@ -128,8 +128,12 @@ key must have at least read access to the project. ...@@ -128,8 +128,12 @@ key must have at least read access to the project.
Prerequisites: Prerequisites:
- The deploy key must be [enabled for your project](deploy_keys/index.md#how-to-enable-deploy-keys). - The deploy key must be enabled for your project. A project deploy key is enabled by default when
- The deploy key must have [write access](deploy_keys/index.md#deploy-keys-permissions) to your project repository. it is created. However, a public deploy key must be
[granted](deploy_keys/index.md#grant-project-access-to-a-public-deploy-key) access to the
project.
- The deploy key must have [write access](deploy_keys/index.md#permissions) to your project
repository.
To allow a deploy key to push to a protected branch: To allow a deploy key to push to a protected branch:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment