2020-07-13 17:09:24 -04:00
---
stage: Release
2020-12-01 10:09:28 -05:00
group: Release
2022-09-21 17:13:33 -04:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2020-07-13 17:09:24 -04:00
type: concepts, howto
---
2020-02-05 10:08:48 -05:00
# Protected environments API **(PREMIUM)**
2021-09-10 05:11:07 -04:00
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/30595) in GitLab 12.8.
2020-02-05 10:08:48 -05:00
## Valid access levels
2022-09-01 11:12:07 -04:00
The access levels are defined in the `ProtectedEnvironments::DeployAccessLevel::ALLOWED_ACCESS_LEVELS` method.
2020-02-05 10:08:48 -05:00
Currently, these levels are recognized:
2020-02-27 19:09:08 -05:00
```plaintext
2020-02-05 10:08:48 -05:00
30 => Developer access
40 => Maintainer access
60 => Admin access
```
2022-05-10 11:09:19 -04:00
## Group inheritance types
Group inheritance allows deploy access levels and access rules to take inherited group membership into account. The group inheritance types are defined by `ProtectedEnvironments::Authorizable::GROUP_INHERITANCE_TYPE` .
The following types are recognized:
```plaintext
0 => Direct group membership only (default)
1 => All inherited groups
```
2020-02-05 10:08:48 -05:00
## List protected environments
Gets a list of protected environments from a project:
2022-06-08 23:08:17 -04:00
```plaintext
2020-02-05 10:08:48 -05:00
GET /projects/:id/protected_environments
```
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
2021-06-28 11:08:03 -04:00
| `id` | integer/string | yes | The ID or [URL-encoded path of the project ](index.md#namespaced-path-encoding ) owned by the authenticated user. |
2020-02-05 10:08:48 -05:00
2020-02-18 13:09:07 -05:00
```shell
2020-05-27 20:08:37 -04:00
curl --header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/projects/5/protected_environments/"
2020-02-05 10:08:48 -05:00
```
Example response:
```json
[
{
"name":"production",
"deploy_access_levels":[
{
2022-08-31 11:12:39 -04:00
"id": 12,
2020-02-05 10:08:48 -05:00
"access_level":40,
"access_level_description":"Maintainers",
"user_id":null,
2022-05-10 11:09:19 -04:00
"group_id":null,
"group_inheritance_type": 0
2020-02-05 10:08:48 -05:00
}
2022-01-05 07:16:26 -05:00
],
2022-08-31 11:12:39 -04:00
"required_approval_count": 0
2020-02-05 10:08:48 -05:00
}
]
```
## Get a single protected environment
Gets a single protected environment:
2022-06-08 23:08:17 -04:00
```plaintext
2020-02-05 10:08:48 -05:00
GET /projects/:id/protected_environments/:name
```
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
2021-06-28 11:08:03 -04:00
| `id` | integer/string | yes | The ID or [URL-encoded path of the project ](index.md#namespaced-path-encoding ) owned by the authenticated user |
2020-02-05 10:08:48 -05:00
| `name` | string | yes | The name of the protected environment |
2020-02-18 13:09:07 -05:00
```shell
2020-05-27 20:08:37 -04:00
curl --header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/projects/5/protected_environments/production"
2020-02-05 10:08:48 -05:00
```
Example response:
```json
{
"name":"production",
"deploy_access_levels":[
{
2022-08-31 11:12:39 -04:00
"id": 12,
2022-01-05 07:16:26 -05:00
"access_level": 40,
"access_level_description": "Maintainers",
"user_id": null,
2022-05-10 11:09:19 -04:00
"group_id": null,
"group_inheritance_type": 0
2020-02-05 10:08:48 -05:00
}
2022-01-05 07:16:26 -05:00
],
2022-08-31 11:12:39 -04:00
"required_approval_count": 0
2020-02-05 10:08:48 -05:00
}
```
## Protect repository environments
Protects a single environment:
2022-06-08 23:08:17 -04:00
```plaintext
2020-02-05 10:08:48 -05:00
POST /projects/:id/protected_environments
```
2022-08-31 11:12:39 -04:00
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer/string | yes | The ID or [URL-encoded path of the project ](index.md#namespaced-path-encoding ) owned by the authenticated user. |
| `name` | string | yes | The name of the environment. |
| `deploy_access_levels` | array | yes | Array of access levels allowed to deploy, with each described by a hash. |
| `required_approval_count` | integer | no | The number of approvals required to deploy to this environment. |
| `approval_rules` | array | no | Array of access levels allowed to approve, with each described by a hash. See [Multiple approval rules ](../ci/environments/deployment_approvals.md#multiple-approval-rules ) for more information. |
Elements in the `deploy_access_levels` and `approval_rules` array should be one of `user_id` , `group_id` or
`access_level` , and take the form `{user_id: integer}` , `{group_id: integer}` or
`{access_level: integer}` . Optionally you can specify the `group_inheritance_type` on each as one of the [valid group inheritance types ](#group-inheritance-types ).
Each user must have access to the project and each group must [have this project shared ](../user/project/members/share_project_with_groups.md ).
2020-02-18 13:09:07 -05:00
```shell
2021-06-02 11:09:59 -04:00
curl --header 'Content-Type: application/json' --request POST \
2022-04-13 11:08:16 -04:00
--data '{"name": "production", "deploy_access_levels": [{"group_id": 9899826}], "approval_rules": [{"group_id": 134}, {"group_id": 135, "required_approvals": 2}]}' \
2021-06-02 11:09:59 -04:00
--header "PRIVATE-TOKEN: < your_access_token > " \
"https://gitlab.example.com/api/v4/projects/22034114/protected_environments"
2020-02-05 10:08:48 -05:00
```
2022-08-31 11:12:39 -04:00
Example response:
```json
{
"name": "production",
"deploy_access_levels": [
{
"id": 12,
"access_level": 40,
"access_level_description": "protected-access-group",
"user_id": null,
"group_id": 9899826,
"group_inheritance_type": 0
}
],
"required_approval_count": 0,
"approval_rules": [
{
"id": 38,
"user_id": null,
"group_id": 134,
"access_level": null,
"access_level_description": "qa-group",
"required_approvals": 1,
"group_inheritance_type": 0
},
{
"id": 39,
"user_id": null,
"group_id": 135,
"access_level": null,
"access_level_description": "security-group",
"required_approvals": 2,
"group_inheritance_type": 0
}
]
}
```
## Update a protected environment
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/351854) in GitLab 15.4.
Updates a single environment.
```plaintext
PUT /projects/:id/protected_environments/:name
```
2020-02-05 10:08:48 -05:00
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
2021-06-28 11:08:03 -04:00
| `id` | integer/string | yes | The ID or [URL-encoded path of the project ](index.md#namespaced-path-encoding ) owned by the authenticated user. |
2020-02-05 10:08:48 -05:00
| `name` | string | yes | The name of the environment. |
2022-08-31 11:12:39 -04:00
| `deploy_access_levels` | array | no | Array of access levels allowed to deploy, with each described by a hash. |
| `required_approval_count` | integer | no | The number of approvals required to deploy to this environment. |
2022-04-13 11:08:16 -04:00
| `approval_rules` | array | no | Array of access levels allowed to approve, with each described by a hash. See [Multiple approval rules ](../ci/environments/deployment_approvals.md#multiple-approval-rules ) for more information. |
2020-02-05 10:08:48 -05:00
2022-04-13 11:08:16 -04:00
Elements in the `deploy_access_levels` and `approval_rules` array should be one of `user_id` , `group_id` or
2020-10-27 14:08:59 -04:00
`access_level` , and take the form `{user_id: integer}` , `{group_id: integer}` or
2022-05-10 11:09:19 -04:00
`{access_level: integer}` . Optionally you can specify the `group_inheritance_type` on each as one of the [valid group inheritance types ](#group-inheritance-types ).
2022-08-31 11:12:39 -04:00
To update:
- **`user_id`**: Ensure the updated user has access to the project. You must also pass the `id` of either a `deploy_access_level` or `approval_rule` in the respective hash.
- **`group_id`**: Ensure the updated group [have this project shared ](../user/project/members/share_project_with_groups.md ). You must also pass the `id` of either a `deploy_access_level` or `approval_rule` in the respective hash.
To delete:
- You must pass `_destroy` set to `true` . See the following examples.
### Example: Create a `deploy_access_level` record
```shell
curl --header 'Content-Type: application/json' --request PUT \
--data '{"deploy_access_levels": [{"group_id": 9899829, access_level: 40}], "required_approval_count": 1}' \
--header "PRIVATE-TOKEN: < your_access_token > " \
"https://gitlab.example.com/api/v4/projects/22034114/protected_environments/production"
```
2020-02-05 10:08:48 -05:00
Example response:
```json
{
2021-11-22 13:10:55 -05:00
"name": "production",
"deploy_access_levels": [
2020-02-05 10:08:48 -05:00
{
2022-08-31 11:12:39 -04:00
"id": 12,
2021-11-22 13:10:55 -05:00
"access_level": 40,
"access_level_description": "protected-access-group",
"user_id": null,
2022-08-31 11:12:39 -04:00
"group_id": 9899829,
"group_inheritance_type": 1
}
],
"required_approval_count": 0
}
```
### Example: Update a `deploy_access_level` record
```shell
curl --header 'Content-Type: application/json' --request PUT \
--data '{"deploy_access_levels": [{"id": 12, "group_id": 22034120}], "required_approval_count": 2}' \
--header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/projects/22034114/protected_environments/production"
```
```json
{
"name": "production",
"deploy_access_levels": [
{
"id": 12,
"access_level": 40,
"access_level_description": "protected-access-group",
"user_id": null,
"group_id": 22034120,
2022-05-10 11:09:19 -04:00
"group_inheritance_type": 0
2020-02-05 10:08:48 -05:00
}
2022-01-05 07:16:26 -05:00
],
2022-08-31 11:12:39 -04:00
"required_approval_count": 2
}
```
### Example: Delete a `deploy_access_level` record
```shell
curl --header 'Content-Type: application/json' --request PUT \
--data '{"deploy_access_levels": [{"id": 12, "_destroy": true}], "required_approval_count": 0}' \
--header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/projects/22034114/protected_environments/production"
```
Example response:
```json
{
"name": "production",
"deploy_access_levels": [],
"required_approval_count": 0
}
```
### Example: Create an `approval_rule` record
```shell
curl --header 'Content-Type: application/json' --request PUT \
--data '{"approval_rules": [{"group_id": 134, "required_approvals": 1}]}' \
--header "PRIVATE-TOKEN: < your_access_token > " \
"https://gitlab.example.com/api/v4/projects/22034114/protected_environments/production"
```
Example response:
```json
{
"name": "production",
"approval_rules": [
{
"id": 38,
"user_id": null,
"group_id": 134,
"access_level": null,
"access_level_description": "qa-group",
"required_approvals": 1,
"group_inheritance_type": 0
}
]
}
```
### Example: Update an `approval_rule` record
```shell
curl --header 'Content-Type: application/json' --request PUT \
--data '{"approval_rules": [{"id": 38, "group_id": 135, "required_approvals": 2}]}' \
--header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/projects/22034114/protected_environments/production"
```
```json
{
"name": "production",
"approval_rules": [
{
"id": 38,
"user_id": null,
"group_id": 135,
"access_level": null,
"access_level_description": "security-group",
"required_approvals": 2,
"group_inheritance_type": 0
}
]
}
```
### Example: Delete an `approval_rule` record
```shell
curl --header 'Content-Type: application/json' --request PUT \
--data '{"approval_rules": [{"id": 38, "_destroy": true}]}' \
--header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/projects/22034114/protected_environments/production"
```
Example response:
```json
{
"name": "production",
"approval_rules": []
2020-02-05 10:08:48 -05:00
}
```
## Unprotect environment
Unprotects the given protected environment:
2022-06-08 23:08:17 -04:00
```plaintext
2020-02-05 10:08:48 -05:00
DELETE /projects/:id/protected_environments/:name
```
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
2021-06-28 11:08:03 -04:00
| `id` | integer/string | yes | The ID or [URL-encoded path of the project ](index.md#namespaced-path-encoding ) owned by the authenticated user. |
2020-02-05 10:08:48 -05:00
| `name` | string | yes | The name of the protected environment. |
2022-08-31 11:12:39 -04:00
```shell
curl --request DELETE --header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/projects/5/protected_environments/staging"
```