How to... set up a GitLab Personal Access Token (PAT)
A GitLab Personal Access Token is a secure, alphanumeric string used to authenticate and authorize access to GitLab's API or GitLab services without needing to use a username and password.
For example, git repos can be cloned to your local machine using PATs without needing to authenticate like this:
git clone https://oauth2:ACCESS_TOKEN@gitlab.com/yourself/yourproject.git
In GitLab, follow these steps to create a personal access token that allows access to your repositories:
- From GitLab, click your user icon in the upper-left corner of the screen and select Preferences.
- Click Access Tokens in the sidebar.
-
Click Add new token in the Personal Access Tokens section of the page.
- Enter a name for the token.
- Select the specific scopes to provide access by checking the boxes for your desired permission levels. For more details on the scope options, read the GitLab documentation on PAT scopes.
- Click Create personal access token.
Best Practice & Notes
- Sagacity users should maintain their own tokens at their gitlab account-level, although these can be issued at the project-level as well.
- Tokens cannot have a greater lifespan than 1 year, and reducing this as much as possible is important (such as when matching a project's duration time to token lifespan).
- Permission scopes should be limited to as few as possible per token. The idea is to have multiple tokens for multiple use-cases, each with fine-grained permissions detailed. I.e., the above authentication example only requires the "api" scope.
- Over-provisioning a token with broad access levels creates a much wider blast radius.
- Refreshing tokens on a more regular basis reduces local key-chain vulnerabilities. Tokens can be revoked at any time.
- Using multiple tokens separates out the more mundane GitLab uses cases (such as repo access) from the more sensitive parts of GitLab (i.e. settings and memberships).
- In the vast majority of use cases, "write_repository" and "api" are sufficient.
- Tokens can only give each user the ability to use their role's permission set when reading+writing to and from repositories.
- When GitLab access tokens are within 14 days of expiry you will receive an email. A new token will need to be created to replace the old one.