2020-05-29 14:08:26 -04:00
---
stage: Release
2020-12-01 10:09:28 -05:00
group: Release
2020-11-26 01:09:20 -05:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-05-29 14:08:26 -04:00
---
2021-12-28 13:15:23 -05:00
# Deploy keys **(FREE)**
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
Use deploy keys to access repositories that are hosted in GitLab. In most cases, you use deploy keys
to access a repository from an external host, like a build server or Continuous Integration (CI) server.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
Depending on your needs, you might want to use a [deploy token ](../deploy_tokens/ ) to access a repository instead.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
| Attribute | Deploy key | Deploy token |
|------------------|-------------|--------------|
| Sharing | Shareable between multiple projects, even those in different groups. | Belong to a project or group. |
| Source | Public SSH key generated on an external host. | Generated on your GitLab instance, and is provided to users only at creation time. |
| Validity | Valid as long as it's registered and enabled. | Can be given an expiration date. |
| Registry access | Cannot access a package registry. | Can read from and write to a package registry. |
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
## Scope
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
A deploy key has a defined scope when it is created:
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
- **Project deploy key:** Access is limited to the selected project.
- **Public deploy key:** Access can be granted to _any_ project in a GitLab instance. Access to each
project must be [granted ](#grant-project-access-to-a-public-deploy-key ) by a user with at least
the Maintainer role.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
You cannot change a deploy key's scope after creating it.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
## Permissions
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
A deploy key is given a permission level when it is created:
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
- **Read-only:** A read-only deploy key can only read from the repository.
- **Read-write:** A read-write deploy key can read from, and write to, the repository.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
You can change a deploy key's permission level after creating it. Changing a project deploy key's
permissions only applies for the current project.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
When a read-write deploy key is used to push a commit, GitLab checks if the creator of the
deploy key has permission to access the resource.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
For example:
2020-05-22 02:08:41 -04:00
- When a deploy key is used to push a commit to a [protected branch ](../protected_branches.md ),
2022-03-01 13:20:20 -05:00
the _creator_ of the deploy key must have access to the branch.
- When a deploy key is used to push a commit that triggers a CI/CD pipeline, the _creator_ of the
deploy key must have access to the CI/CD resources, including protected environments and secret
variables.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
## View deploy keys
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
To view the deploy keys available to a project:
2020-05-22 02:08:41 -04:00
2021-10-18 23:11:34 -04:00
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Repository** .
1. Expand **Deploy keys** .
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
The deploy keys available are listed:
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
- **Enabled deploy keys:** Deploy keys that have access to the project.
- **Privately accessible deploy keys:** Project deploy keys that don't have access to the project.
- **Public accessible deploy keys:** Public deploy keys that don't have access to the project.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
## Create a project deploy key
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
Prerequisites:
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
- You must have at least the Maintainer role for the project.
2022-03-29 02:08:52 -04:00
- [Generate an SSH key pair ](../../ssh.md#generate-an-ssh-key-pair ). Put the private SSH
2022-03-01 13:20:20 -05:00
key on the host that requires access to the repository.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Repository** .
1. Expand **Deploy keys** .
1. Complete the fields.
1. Optional. To grant `read-write` permission, select the **Grant write permissions to this key**
checkbox.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
A project deploy key is enabled when it is created. You can modify only a project deploy key's
name and permissions.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
## Create a public deploy key
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
Prerequisites:
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
- You must have administrator access.
2022-03-29 02:08:52 -04:00
- [Generate an SSH key pair ](../../ssh.md#generate-an-ssh-key-pair ). Put the private SSH
2022-03-01 13:20:20 -05:00
key on the host that requires access to the repository.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
To create a public deploy key:
2020-05-22 02:08:41 -04:00
2021-08-26 05:11:15 -04:00
1. On the top bar, select **Menu > Admin** .
2021-06-17 05:09:53 -04:00
1. On the left sidebar, select **Deploy Keys** .
1. Select **New deploy key** .
2022-03-01 13:20:20 -05:00
1. Complete the fields.
- Use a meaningful description for **Name** . For example, include the name of the external host
or application that will use the public deploy key.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
You can modify only a public deploy key's name.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
## Grant project access to a public deploy key
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
Prerequisites:
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
- You must have at least the Maintainer role for the project.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
To grant a public deploy key access to a project:
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Repository** .
1. Expand **Deploy keys** .
1. Select **Publicly accessible deploy keys** .
1. In the key's row, select **Enable** .
1. To grant read-write permission to the public deploy key:
1. In the key's row, select **Edit** (**{pencil}**).
1. Select the **Grant write permissions to this key** checkbox.
## Revoke project access of a deploy key
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
To revoke a deploy key's access to a project, you can disable it. Any service that relies on
a deploy key stops working when the key is disabled.
2020-05-22 02:08:41 -04:00
2022-03-01 13:20:20 -05:00
Prerequisites:
2021-04-22 11:09:56 -04:00
2022-03-01 13:20:20 -05:00
- You must have at least the Maintainer role for the project.
To disable a deploy key:
2021-04-22 11:09:56 -04:00
2021-10-18 23:11:34 -04:00
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Repository** .
1. Expand **Deploy keys** .
1. Select **Disable** (**{cancel}**).
2021-04-22 11:09:56 -04:00
2022-03-01 13:20:20 -05:00
What happens to the deploy key when it is disabled depends on the following:
2021-04-22 11:09:56 -04:00
2022-03-01 13:20:20 -05:00
- If the key is publicly accessible, it is removed from the project but still available in the
**Publicly accessible deploy keys** tab.
- If the key is privately accessible and only in use by this project, it is deleted.
- If the key is privately accessible and also in use by other projects, it is removed from the
project, but still available in the **Privately accessible deploy keys** tab.
2021-04-22 11:09:56 -04:00
2020-05-22 02:08:41 -04:00
## Troubleshooting
2021-02-05 10:09:28 -05:00
### Deploy key cannot push to a protected branch
2020-05-22 02:08:41 -04:00
2021-10-05 02:11:36 -04:00
There are a few scenarios where a deploy key will fail to push to a [protected
branch](../protected_branches.md).
2020-05-22 02:08:41 -04:00
2021-10-05 02:11:36 -04:00
- The owner associated to a deploy key does not have access to the protected branch.
- The owner associated to a deploy key does not have [membership ](../members/index.md ) to the project of the protected branch.
2022-03-01 13:20:20 -05:00
- **No one** is selected in [the **Allowed to push** section ](../protected_branches.md#configure-a-protected-branch ) of the protected branch.
2021-10-05 02:11:36 -04:00
2021-10-13 14:12:40 -04:00
All deploy keys are associated to an account. Since the permissions for an account can change, this might lead to scenarios where a deploy key that was working is suddenly unable to push to a protected branch.
2021-10-05 02:11:36 -04:00
We recommend you create a service account, and associate a deploy key to the service account, for projects using deploy keys.
