The job token is secured by its short life-time and limited scope. It gives a CI/CD jobĪccess to a limited amount of API endpoints.ĪPI authentication uses the job token, by using the authorization of the user Is a short lived token only valid for the duration of a job. Malicious access to a runner’s file system may expose the config.toml file and thus the authentication token, allowing an attacker to clone the runner. They have access to the job token only, which is needed to execute the job. In case of Docker Machine/Kubernetes/VirtualBox/Parallels/SSH executors, the execution environment has no access to the runner authentication token, because it stays on the runner machine. The authentication token is stored locally in the runner’s config.toml file.Īfter authentication with GitLab, the runner receives a job token, which it uses to execute the job. Runner authentication tokens (also called runner tokens)Īfter registration, the runner receives an authentication token, which it uses to authenticate with GitLab when picking up jobs from the job queue.
The runner has access to the project’s code, so be careful when assigning project and group-level permissions.
Token terminal registration#
You can use the runner registration token to add runners that execute jobs in a project or group. The registration token is limited to runner registration and has no further scope. Group or project owners or instance administrators can obtain them through the GitLab user interface. Runner registration tokens are used to register a runner with GitLab. Project maintainers and owners can add or enable a deploy key for a project repository Runner registration tokens By using deploy keys, you don’t have to set up a fake user account. This is useful, for example, for cloning repositories to your Continuous Integration (CI) server. Deploy keys cannot be used with the GitLab API or the registry. Deploy keysĭeploy keys allow read-only or read-write access to your repositories by importing an SSH public key into your GitLab instance. Deploy tokens cannot be used with the GitLab API.ĭeploy tokens can be managed by project maintainers and owners.
Token terminal download#
Deploy tokensĭeploy tokens allow you to download ( git clone) or push and pull packages and container registry images of a project without having a user and a password. When youĬreate a group access token, GitLab creates a bot user for groups.īot users for groups are service accounts and do not count as licensed seats. You can limit the scope and expiration date of group access tokens. As with Personal access tokens, you can use them to authenticate with:
Group access tokensĪre scoped to a group. When youĬreate a project access token, GitLab creates a bot user for projects.īot users for projects are service accounts and do not count as licensed seats. You can limit the scope and expiration date of project access tokens. Project access tokensĪre scoped to a project. You can limit the scope and set an expiration date for an impersonation token. Help you build applications or scripts that authenticate with the GitLab API, repositories, and the GitLab registry as a specific user. It can be created only by an administrator for a specific user. Impersonation tokensĪn Impersonation token is a special type of personal access You can limit the scope and lifetime of your OAuth2 tokens. GitLab can serve as an OAuth2 provider to allow other services to access the GitLab API on a user’s behalf. They inherit permissions from the user who created them. You can limit the scope and expiration date of your personal access tokens. You can create Personal access tokens to authenticate with: This document lists tokens used in GitLab, their purpose and, where applicable, security guidance.
0 kommentar(er)
