diff options
Diffstat (limited to 'doc/user/project/deploy_keys/index.md')
| -rw-r--r-- | doc/user/project/deploy_keys/index.md | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/doc/user/project/deploy_keys/index.md b/doc/user/project/deploy_keys/index.md index 5bd19fec0ba..4e380d485a8 100644 --- a/doc/user/project/deploy_keys/index.md +++ b/doc/user/project/deploy_keys/index.md @@ -40,7 +40,6 @@ A deploy key is given a permission level when it is created: You can change a deploy key's permission level after creating it. Changing a project deploy key's permissions only applies for the current project. -Although a deploy key is a secret that isn't associated with a specific user, GitLab authorizes the creator of the deploy key if the Git-command triggers additional processes. For example: - When a deploy key is used to push a commit to a [protected branch](../protected_branches.md), @@ -58,6 +57,9 @@ For human interactions, use credentials tied to users such as Personal Access To To help detect a potential secret leak, you can use the [Audit Event](../../../administration/audit_event_streaming/examples.md#example-payloads-for-ssh-events-with-deploy-key) feature. +WARNING: +Deploy keys work even if the user who created them is removed from the group or project. + ## View deploy keys To view the deploy keys available to a project: @@ -128,6 +130,20 @@ To grant a public deploy key access to a project: 1. In the key's row, select **Edit** (**{pencil}**). 1. Select the **Grant write permissions to this key** checkbox. +### Edit project access permissions of a deploy key + +Prerequisites: + +- You must have at least the Maintainer role for the project. + +To edit the project access permissions of a deploy key: + +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project. +1. Select **Settings > Repository**. +1. Expand **Deploy keys**. +1. In the key's row, select **Edit** (**{pencil}**). +1. Select or clear the **Grant write permissions to this key** checkbox. + ## Revoke project access of a deploy key To revoke a deploy key's access to a project, you can disable it. Any service that relies on @@ -159,8 +175,10 @@ What happens to the deploy key when it is disabled depends on the following: There are a few scenarios where a deploy key fails to push to a [protected branch](../protected_branches.md). -- The owner associated to a deploy key does not have access to the protected branch. - The owner associated to a deploy key does not have [membership](../members/index.md) to the project of the protected branch. +- The owner associated to a deploy key has [project membership permissions](../../../user/permissions.md#project-members-permissions) lower than required to **View project code**. +- The deploy key does not have [read-write permissions for the project](#edit-project-access-permissions-of-a-deploy-key). +- The deploy key has been [revoked](#revoke-project-access-of-a-deploy-key). - **No one** is selected in [the **Allowed to push and merge** section](../protected_branches.md#add-protection-to-existing-branches) of the protected branch. All deploy keys are associated to an account. Since the permissions for an account can change, this might lead to scenarios where a deploy key that was working is suddenly unable to push to a protected branch. |