2020-06-09 11:08:05 -04:00
---
stage: Manage
group: Access
2020-11-26 01:09:20 -05:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-06-09 11:08:05 -04:00
type: howto
---
2021-01-28 07:09:54 -05:00
# Credentials inventory **(ULTIMATE SELF)**
2019-12-17 04:07:48 -05:00
2020-02-06 10:09:11 -05:00
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20912) in GitLab 12.6.
2019-12-17 04:07:48 -05:00
GitLab administrators are responsible for the overall security of their instance. To assist, GitLab provides a Credentials inventory to keep track of all the credentials that can be used to access their self-managed instance.
2021-03-22 14:09:24 -04:00
Using Credentials inventory, you can see all the personal access tokens (PAT), SSH keys, and GPG keys
that exist in your GitLab instance. In addition, you can [revoke ](#revoke-a-users-personal-access-token )
2021-03-10 10:09:11 -05:00
and [delete ](#delete-a-users-ssh-key ) and see:
2019-12-17 04:07:48 -05:00
- Who they belong to.
- Their access scope.
- Their usage pattern.
2020-07-03 11:09:13 -04:00
- When they expire. [Introduced ](https://gitlab.com/gitlab-org/gitlab/-/issues/214809 ) in GitLab 13.2.
- When they were revoked. [Introduced ](https://gitlab.com/gitlab-org/gitlab/-/issues/214809 ) in GitLab 13.2.
2019-12-17 04:07:48 -05:00
To access the Credentials inventory, navigate to **Admin Area > Credentials** .
The following is an example of the Credentials inventory page:
2021-03-10 10:09:11 -05:00
![Credentials inventory page ](img/credentials_inventory_v13_10.png )
2020-09-10 11:09:10 -04:00
## Revoke a user's personal access token
2020-10-15 11:08:45 -04:00
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214811) in GitLab 13.4.
2020-09-10 11:09:10 -04:00
If you see a **Revoke** button, you can revoke that user's PAT. Whether you see a **Revoke** button depends on the token state, and if an expiration date has been set. For more information, see the following table:
2021-02-18 16:10:43 -05:00
| Token state | [Token expiration enforced? ](settings/account_and_limit_settings.md#optional-non-enforcement-of-personal-access-token-expiration ) | Show Revoke button? | Comments |
2020-09-10 11:09:10 -04:00
|-------------|------------------------|--------------------|----------------------------------------------------------------------------|
| Active | Yes | Yes | Allows administrators to revoke the PAT, such as for a compromised account |
| Active | No | Yes | Allows administrators to revoke the PAT, such as for a compromised account |
2020-10-08 05:08:40 -04:00
| Expired | Yes | No | PAT expires automatically |
| Expired | No | Yes | The administrator may revoke the PAT to prevent indefinite use |
| Revoked | Yes | No | Not applicable; token is already revoked |
| Revoked | No | No | Not applicable; token is already revoked |
2020-10-15 11:08:45 -04:00
2020-11-06 16:08:57 -05:00
When a PAT is revoked from the credentials inventory, the instance notifies the user by email.
2020-10-15 11:08:45 -04:00
## Delete a user's SSH key
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225248) in GitLab 13.5.
You can **Delete** a user's SSH key by navigating to the credentials inventory's SSH Keys tab.
2020-11-06 16:08:57 -05:00
The instance then notifies the user.
2020-10-15 11:08:45 -04:00
![Credentials inventory page - SSH keys ](img/credentials_inventory_ssh_keys_v13_5.png )
2021-03-10 10:09:11 -05:00
## Review existing GPG keys
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/282429) in GitLab 13.10.
2021-03-17 14:09:01 -04:00
> - It was [deployed behind a feature flag](../feature_flags.md), disabled by default.
> - [Became enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/292961) on GitLab 13.11.
> - It's enabled on GitLab.com.
> - It's recommended for production use.
> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-the-gpg-keys-view).
WARNING:
This feature might not be available to you. Check the **version history** note above for details.
2021-03-10 10:09:11 -05:00
2021-03-22 14:09:24 -04:00
You can view all existing GPG in your GitLab instance by navigating to the
2021-03-10 10:09:11 -05:00
credentials inventory GPG Keys tab, as well as the following properties:
- Who the GPG key belongs to.
- The ID of the GPG key.
- Whether the GPG key is [verified or unverified ](../project/repository/gpg_signed_commits/index.md )
![Credentials inventory page - GPG keys ](img/credentials_inventory_gpg_keys_v13_10.png )
### Enable or disable the GPG keys view
2021-03-17 14:09:01 -04:00
Enabling or disabling the GPG keys view is under development but ready for production use.
It is deployed behind a feature flag that is **enabled by default** .
2021-03-10 10:09:11 -05:00
[GitLab administrators with access to the GitLab Rails console ](../../administration/feature_flags.md )
2021-03-17 14:09:01 -04:00
can opt to disable it.
2021-03-10 10:09:11 -05:00
To enable it:
```ruby
Feature.enable(:credential_inventory_gpg_keys)
```
To disable it:
```ruby
Feature.disable(:credential_inventory_gpg_keys)
```