Which token should I use to connect to GitLab from my workstation?
Use a Personal Access token to connect from your workstation to GitLab. The token is unique to you and can provide access to the same resources you can access in the web interface. Personal Access tokens are a user credential, just like a password.
Which token should I use to configure an automated task that connects to GitLab?
Deploy tokens and Project Access tokens are best suited for tasks that need to connect to GitLab but should not be associated with an individual staff member. Frequently, this would be an automated task, like performing a scheduled git pull of changes from a remote repository in GitLab. Deploy and Project Access tokens are similar to a shared login or machine login credential.
What are the best practices for token security?
All tokens should be scoped to only the access level they need, and they should have an expiration date. The expiration date you select depends on what interval you feel won't be too disruptive.
Wherever possible, tokens should not be stored in plain text but integrated into the local machine's encrypted credential storage.
Can I use tokens in GitLabCI processes?
Project Access and Deploy tokens can be useful in automated processes run with GitLabCI. However, tokens should never be hard-coded into a script or committed to a GitLab repository. To securely use a token as part of a GitLabCI process, store the token as a GitLab variable, and mask the variable, so that the token value isn't displayed in logs. Then write your .gitlab-ci.yml file, so that GitLab injects the token value into the process when it's needed.
What types of SSH key access are allowed in GitLab?
You can access your project repositories in GitLab via SSH key, which can be very useful (for setup instructions, see DoIT Shared Tools - GitLab - Setting up remote repositories). However, SSH key access has limitations that tokens do not have. You cannot access the GitLab API or registry via SSH key. In addition you can only connect via SSH to a project in DoIT's GitLab instance from an on-campus IP address. Users working off-campus must log into the WiscVPN (WiscVPN (uwmadison.vpn.wisc.edu) - Getting Started) before they can connect with SSH.
GitLab also provides Deploy keys, which serve a similar purpose to Deploy tokens but are SSH key-based. Deploy keys have the same limitations as personal workstation SSH keys mentioned above.
