Per Repo tokens

Mike Lovelace's Avatar

Mike Lovelace

10 Feb, 2017 05:38 PM

Is it possible to have repository tokens? I.e. tokens that only grant the given access to a specific repository.

Having a single build user with a single token is problematic.

A single build user means that user has access to everything during builds, quite possibly with write access. This is far too broad, but creating and maintaining a user per repo is not scalable.

There also need to be multiple tokens per repository, such that say, a deployment script only has read-only web access, a build script has read only or read-write vcs access, etc...

Basically being able to easily apply the principle of least access and easy key revocation.

  1. Support Staff 1 Posted by Marcin Kuzminsk... on 10 Feb, 2017 05:53 PM

    Marcin Kuzminski's Avatar

    Hi Mike,

    Thanks for sharing your suggestion.
    Currently this is not possible, you'd need to make user-per-repo and generate a token for him. This allows auditibility and things like ip-restrictions would work ootb.

    We had already similar request from another user. But we were not really for that solution as it opens some other problems in terms of beeing able to tell who has an access.

    By that time we had an other idea, and please let us know if it would fit in your use case.

    Instead of per-repository token, user auth-tokens would have an additional scope parameter. It means that you'd have an user called CI_BOT, for this user you can generate multiple tokens, you set a role for that token, and also a scope. A scope could be repository, or repository group. This was you can have a nice way to generate multiple keys but bound to certain repos.

    P.S. Please consider joining our Slack community channel under . Get access to our development team as well as community members always willing to help.

  2. 2 Posted by Mike Lovelace on 10 Feb, 2017 06:05 PM

    Mike Lovelace's Avatar

    I think that could work. My scenario is to create keys on the fly via a custom backend for Vault, such that my builds and deployments only have a token for the minimum amount of time necessary for the task at hand.

    I think how this problem was solved with bit-bucket was by only exposing the token during creation, and otherwise it was no longer accessible.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:


Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac


17 Oct, 2018 03:22 PM
15 Oct, 2018 05:20 AM
03 Oct, 2018 01:16 PM
01 Oct, 2018 08:41 AM
28 Sep, 2018 10:12 AM
26 Sep, 2018 04:34 AM