The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Secrets, Tokens and Credentials in GitLab

This document lists all secrets, tokens and credentials that can be configured and managed by an administrator user in GitLab.

List of credentials

Credentials typeUsageOfficial documentation linkComment
Tokens
Personal Access TokensAuthenticate to GitLab API, Git repositories through HTTPS, GitLab registryPersonal Access Tokens
Project access tokensAccess tokens scoped to a projectProject access tokens
Group access tokensAccess tokens scoped yo a groupGroup access tokens
Impersonation TokensAdmin‑created personal access token that lets you authenticate to the GitLab API, repositories, and registry as a specific userImpersonation tokens
OAuth 2.0 tokensAllow other services to access the GitLab API on a user’s behalfOAuth 2.0 tokens
Keys
SSH KeysGit WorkflowsUse SSH Keys
Other
User passwordsUser AuthenticationSecurity configuration
Two-factor authentication (2FA)Additional level of security to GitLab accountTwo-factor Authentication

Credential Configuration Parameters

This section lists all parameters available for credential configuration. Each parameter can be set by an administrator through the Admin UI, REST API request, or defined in a configuration file.

Single Sign-on Authentication

Software Factory recommends implementing SAML-based authentication for Single Sign-On (SSO).

We also advise disabling password and passkey authentication for the web interface by going to Admin UI > Setting > General , expand Sign-in restrictions , uncheck Allow password and passkey authentication for the web interface , select Save .

Credentials typeParametersConfiguration locationAdmin panel configurationDefault configurationRecommendationOfficial documentation link
Access tokensLifetime limitOnly in Admin UIIn Admin panel go to Settings > General , expand Account and limit section, fill Maximum allowable lifetime for access tokens (days), select Save changes365 days90 daysAccount and limit settings
Require expiration dates for new access tokensOnly in Admin UIIn Admin panel go to Settings > General , expand Account and limit section, navigate to Access token expirationEnabledEnabledRequire expiration dates for tokens
Inactive project and group access token retention periodOnly in Admin UIIn Admin panel go to Settings > General , expand Account and limit section, navigate to Inactive project and group access token retention period30 days30 daysInactive project/group token retention
User OAuth applications settingOnly in Admin UIIn Admin panel go to Settings > General , expand Account and limit section, select or clear User OAuth applicationsEnabledEnabledUser OAuth application setting
OAuth authorizationsOnly in Admin UIIn Admin panel go to Settings > General , expand Account and limit section, select or clear Allow user to use resource owner password credentials flow without OAuth client credentialsEnabledEnabledOAuth authorizations
SSH KeysLifetime limitOnly in Admin UIIn Admin panel go to Settings > General , expand Account and limit section, fill Maximum allowable lifetime for SSH keys (days), select Save changes365 days180 daysLimit the lifetime of SSH keys
Key restrictionsOnly in Admin UIIn Admin panel go to Settings > General , expand Visibility and access controls section, look for SSH KeysAll SSH key types allowedCheck SSH Keys restrictions recommendationSSH keys restrictions
User passwordsPassword complexityIn Admin UI or through REST APIIn Admin panel go to Settings > General , then expand Sign-up restrictionsDefault password requirementsRecommended password complexity . Software Factory recommends setting up SSO .GitLab password complexity
Two-factor authenticationEnforce two-factor authentication for all usersOnly in Admin UIIn Admin panel go to Settings > General , then expand Sign-in restrictions , select the Enforce two-factor authentication checkboxDefaultRecommendationEnfoce 2FA authentication
Enforce two-factor authentication for administratorsOnly in Admin UIIn Admin panel go to Settings > General , then expand Sign-in restrictions , select the Enforce two-factor authentication for administrators checkboxDefaultRecommendationEnfoce 2FA authentication

SSH Keys recommendations

  • DSA Keys are forbidden
  • RSA Keys must be at least 2048 bits
  • ECDSA Keys must be at least 256 bits
  • ED25519 Keys must be at least 256 bits

Password complexity defaults

SettingDescription
Minimum password lengthSets the minimum number of characters required. Cannot be less than 8 characters or more than 128 characters.
Require numbersRequires passwords to contain at least one number (0-9). Premium and Ultimate only.
Require uppercase lettersRequires passwords to contain at least one uppercase letter (A-Z). Premium and Ultimate only.
Require lowercase lettersRequires passwords to contain at least one lowercase letter (a-z). Premium and Ultimate only.
Require symbolsRequires passwords to contain at least one symbol. Premium and Ultimate only.

Password complexity recommendation

SettingDescription
Minimum password lengthSets the minimum number of characters required. Cannot be less than 16 characters or more than 128 characters.
Require numbersRequires passwords to contain at least one number (0-9).
Require uppercase lettersRequires passwords to contain at least one uppercase letter (A-Z).
Require lowercase lettersRequires passwords to contain at least one lowercase letter (a-z).
Require symbolsRequires passwords to contain at least one symbol.