Introduced in GitLab 10.7.
Deploy tokens allow to download (through
git clone), or read the container registry images of a project without the need of having a user and a password.
Please note, that the expiration of deploy tokens happens on the date you define, at midnight UTC and that they can be only managed by maintainers.
Creating a Deploy Token
You can create as many deploy tokens as you like from the settings of your project:
- Log in to your GitLab account.
- Go to the project you want to create Deploy Tokens for.
- Go to Settings > Repository.
- Click on "Expand" on Deploy Tokens section.
- Choose a name and optionally an expiry date for the token.
- Choose the desired scopes.
- Click on Create deploy token.
- Save the deploy token somewhere safe. Once you leave or refresh the page, you won't be able to access it again.
Revoking a deploy token
At any time, you can revoke any deploy token by just clicking the respective Revoke button under the 'Active deploy tokens' area.
Limiting scopes of a deploy token
Deploy tokens can be created with two different scopes that allow various actions that a given token can perform. The available scopes are depicted in the following table.
||Allows read-access to the repository through
||Allows read-access to container registry images if a project is private and authorization is required.|
Git clone a repository
To download a repository using a Deploy Token, you just need to:
Create a Deploy Token with
read_repositoryas a scope.
Take note of your
git clonethe project using the Deploy Token:
git clone http://<username>:<deploy_token>@gitlab.example.com/tanuki/awesome_project.git
<deploy_token> with the proper values.
Read Container Registry images
To read the container registry images, you'll need to:
- Create a Deploy Token with
read_registryas a scope.
- Take note of your
- Log in to GitLab’s Container Registry using the deploy token:
docker login registry.example.com -u <username> -p <deploy_token>
<deploy_token> with the proper values. Then you can simply
pull images from your Container Registry.
GitLab Deploy Token
Introduced in GitLab 10.8.
There's a special case when it comes to Deploy Tokens. If a user creates one
gitlab-deploy-token, the username and token of the Deploy Token will be
automatically exposed to the CI/CD jobs as environment variables:
CI_DEPLOY_PASSWORD, respectively. With the GitLab Deploy Token, the
read_registry scope is implied.
After you create the token, you can login to the Container Registry using those variables:
docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY