The site that you are currently viewing is a static version of the Software Factory
documentation delivered with the
version v7.2.
For up-to-date documentation, see the
latest version.
Secrets, Tokens and Credentials in GitLab
4 minute read
This document lists all secrets, tokens and credentials that can be configured and managed by an administrator user in GitLab.
List of credentials
| Credentials type | Usage | Official documentation link | Comment |
|---|---|---|---|
| Tokens | |||
| Personal Access Tokens | Authenticate to GitLab API, Git repositories through HTTPS, GitLab registry | Personal Access Tokens | |
| Project access tokens | Access tokens scoped to a project | Project access tokens | |
| Group access tokens | Access tokens scoped yo a group | Group access tokens | |
| Impersonation Tokens | Admin‑created personal access token that lets you authenticate to the GitLab API, repositories, and registry as a specific user | Impersonation tokens | |
| OAuth 2.0 tokens | Allow other services to access the GitLab API on a user’s behalf | OAuth 2.0 tokens | |
| Keys | |||
| SSH Keys | Git Workflows | Use SSH Keys | |
| Other | |||
| User passwords | User Authentication | Security configuration | |
| Two-factor authentication (2FA) | Additional level of security to GitLab account | Two-factor Authentication |
Credential Configuration Parameters
This section lists all parameters available for credential configuration. Each parameter can be set by an administrator through the Admin UI, REST API request, or defined in a configuration file.
Single Sign-on Authentication
Software Factory recommends implementing SAML-based authentication for Single Sign-On (SSO).
We also advise disabling password and passkey authentication for the web interface by going to Admin UI > Setting > General , expand Sign-in restrictions , uncheck Allow password and passkey authentication for the web interface , select Save .
| Credentials type | Parameters | Configuration location | Admin panel configuration | Default configuration | Recommendation | Official documentation link |
|---|---|---|---|---|---|---|
| Access tokens | Lifetime limit | Only in Admin UI | In Admin panel go to Settings > General , expand Account and limit section, fill Maximum allowable lifetime for access tokens (days), select Save changes | 365 days | 90 days | Account and limit settings |
| Require expiration dates for new access tokens | Only in Admin UI | In Admin panel go to Settings > General , expand Account and limit section, navigate to Access token expiration | Enabled | Enabled | Require expiration dates for tokens | |
| Inactive project and group access token retention period | Only in Admin UI | In Admin panel go to Settings > General , expand Account and limit section, navigate to Inactive project and group access token retention period | 30 days | 30 days | Inactive project/group token retention | |
| User OAuth applications setting | Only in Admin UI | In Admin panel go to Settings > General , expand Account and limit section, select or clear User OAuth applications | Enabled | Enabled | User OAuth application setting | |
| OAuth authorizations | Only in Admin UI | In Admin panel go to Settings > General , expand Account and limit section, select or clear Allow user to use resource owner password credentials flow without OAuth client credentials | Enabled | Enabled | OAuth authorizations | |
| SSH Keys | Lifetime limit | Only in Admin UI | In Admin panel go to Settings > General , expand Account and limit section, fill Maximum allowable lifetime for SSH keys (days), select Save changes | 365 days | 180 days | Limit the lifetime of SSH keys |
| Key restrictions | Only in Admin UI | In Admin panel go to Settings > General , expand Visibility and access controls section, look for SSH Keys | All SSH key types allowed | Check SSH Keys restrictions recommendation | SSH keys restrictions | |
| User passwords | Password complexity | In Admin UI or through REST API | In Admin panel go to Settings > General , then expand Sign-up restrictions | Default password requirements | Recommended password complexity . Software Factory recommends setting up SSO . | GitLab password complexity |
| Two-factor authentication | Enforce two-factor authentication for all users | Only in Admin UI | In Admin panel go to Settings > General , then expand Sign-in restrictions , select the Enforce two-factor authentication checkbox | Default | Recommendation | Enfoce 2FA authentication |
| Enforce two-factor authentication for administrators | Only in Admin UI | In Admin panel go to Settings > General , then expand Sign-in restrictions , select the Enforce two-factor authentication for administrators checkbox | Default | Recommendation | Enfoce 2FA authentication |
SSH Keys recommendations
- DSA Keys are forbidden
- RSA Keys must be at least 2048 bits
- ECDSA Keys must be at least 256 bits
- ED25519 Keys must be at least 256 bits
Password complexity defaults
| Setting | Description |
|---|---|
| Minimum password length | Sets the minimum number of characters required. Cannot be less than 8 characters or more than 128 characters. |
| Require numbers | Requires passwords to contain at least one number (0-9). Premium and Ultimate only. |
| Require uppercase letters | Requires passwords to contain at least one uppercase letter (A-Z). Premium and Ultimate only. |
| Require lowercase letters | Requires passwords to contain at least one lowercase letter (a-z). Premium and Ultimate only. |
| Require symbols | Requires passwords to contain at least one symbol. Premium and Ultimate only. |
Password complexity recommendation
| Setting | Description |
|---|---|
| Minimum password length | Sets the minimum number of characters required. Cannot be less than 16 characters or more than 128 characters. |
| Require numbers | Requires passwords to contain at least one number (0-9). |
| Require uppercase letters | Requires passwords to contain at least one uppercase letter (A-Z). |
| Require lowercase letters | Requires passwords to contain at least one lowercase letter (a-z). |
| Require symbols | Requires passwords to contain at least one symbol. |