A deploy key is an SSH key stored on your server that grants access to a repository. This guide explains the benefits and limitations of deploy keys, their accessible IP ranges, and how to set them up.
Benefits and limitations
-
Supports password-less login via the SSH protocol for simple, secure, read-only repository access.
-
Lets automated systems or specific services deploy code from a repository without needing a personal user account.
-
You can add a single deploy key to multiple repositories. This is convenient for complex projects that require a server to pull from many repositories.
Anyone with access to a server with a configured deploy key can obtain the key and use it to clone the repository. To enhance security, Alibaba Cloud DevOps requires an IP allowlist for deploy keys, which restricts pull operations to allowed IP addresses.
Accessible IP ranges
-
To ensure key security, you must use an IP allowlist with deploy keys.
-
An enterprise administrator must enable the IP allowlist service in the enterprise settings. Then, they must set the IP addresses allowed to use deploy keys. IP addresses outside this list cannot use a deploy key to access repositories.
Set up a deploy key
-
Generate a deploy key. If you do not have one, run the following command on your server:
ssh-keygen -t rsa -
As a repository administrator, go to your repository and select Settings in the lower-left corner.
-
From the left navigation pane, select Deploy Keys, and then click New Key in the upper-right corner.
The page displays a message: The deploy key is not yet active. It activates only after you configure the IP allowlist range in enterprise settings. The page is divided into two sections, enabled keys and available keys, both of which are currently empty.
-
On the new key page, paste your server's public key, enter a title, and then click New Key.
Available keys
The available keys section lists deploy keys from other repositories you can access, allowing you to apply an existing key to the current repository with a single click.
Find the target key in the list and click Enable in the Actions column to apply it to the current repository.
To delete a deploy key, you must remove it from every repository that uses it. Once removed from all repositories, the key disappears from the available keys list of other repositories.
On the repository Settings > Deploy Keys page, the enabled keys section lists the name, fingerprint, and actions for each key configured for the current repository (you can click Remove to delete a key). The available keys section lists keys that can be synced from other repositories. A banner at the top of the page indicates that deploy key access is restricted by an IP allowlist. You can modify this list in enterprise settings > IP allowlist. To create a deploy key, click New Key in the upper-right corner.