Service accounts

Tier: Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Service accounts are user accounts that represent non-human entities rather than individual people. You can use service accounts to perform automated actions, access data, or run scheduled processes. Service accounts are commonly used in pipelines or third-party integrations where credentials must remain stable and unaffected by changes in human user membership.

You authenticate as a service account with a personal access token. Service accounts have the same abilities as human users, and can perform actions like interacting with package and container registries, performing Git operations, and accessing the API.

There are two types of service accounts:

Account type	Description
Instance-level service accounts	Associated with an entire GitLab instance Must be created by an administrator for the instance. Unavailable on GitLab.com.
Group-level service accounts	Associated with a specific top-level group Must be created by an Owner for a top-level group. Can only be associated with a single top-level group.

Service accounts:

Do not use a seat.
Cannot sign in to GitLab through the UI.
Are identified in the group and project membership as service accounts.
Do not receive notification emails without additional configuration.
Are not billable users or internal users.
Cannot be used with trial versions of GitLab.com.
Can be used with trial versions of GitLab Self-Managed and GitLab Dedicated.

You can also manage service accounts through the API.

For instance-level service accounts, use the service account users API.
For group-level service accounts, use the group service accounts API.

Prerequisites

For instance-level service accounts, you must be an administrator for the instance.
For group-level service accounts, you must have the Owner role in a top-level group.

View and manage service accounts

History

The Service Accounts page displays information about service accounts in your top-level group or instance. Each top-level group and GitLab Self-Managed instance has a separate Service Accounts page. From these pages, you can:

View all service accounts for your group or instance.
Delete a service account.
Edit a service account’s name or username.
Manage personal access tokens for a service account.

To view the Service Accounts page:

On the left sidebar, at the bottom, select Admin.
Select Settings > Service Accounts.

To view the Service Accounts page:

On the left sidebar, select Search or go to and find your group.
Select Settings > Service Accounts.

Create a service account

History

Introduced for GitLab.com in GitLab 16.3
Top-level group owners can create Service accounts introduced in GitLab 17.5 with a feature flag named allow_top_level_group_owners_to_create_service_accounts for GitLab Self-Managed. Disabled by default.
Top-level group owners can create Service accounts generally available in GitLab 17.6. Feature flag allow_top_level_group_owners_to_create_service_accounts removed.

The number of service accounts you can create is restricted by the number of service accounts allowed under your license:

On GitLab Free, service accounts are not available.
On GitLab Premium, you can create one service account for every paid seat you have.
On GitLab Ultimate, you can create an unlimited number of service accounts.

Prerequisites:

For group-level service accounts on GitLab Self-Managed or GitLab Dedicated, you must be allowed to create service accounts.

To create a service account:

Go to the Service Accounts page.
Select Add service account.
Enter a name for the service account. A username is automatically generated based on the name. You can modify the username if needed.
Select Create service account.

Edit a service account

You can edit the name or username of a service account.

To edit a service account:

Go to the Service Accounts page.
Identify a service account.
Select the vertical ellipsis ( ) > Edit.
Edit the name or username for the service account.
Select Save changes.

Service account access to groups and projects

Service accounts are similar to external users. When first created, they have limited access to groups and projects. To give a service account access to resources, you must add it to each group or project.

There is no limit to the number of service accounts you can add to a group or project. Service accounts can have different roles in each group, subgroup, or project they are a member of. However, group-level service accounts can only belong to one top-level group.

You can manage service account access to groups and projects the same way you manage access for human users. For more information, see groups and members of a project.

You can also manage group and project assignments with the members API.

Delete a service account

When you delete a service account, any contributions made by the account are retained and ownership is transfered to a system-wide ghost user account. These contributions can include activity such as merge requests, issues, projects, and groups.

To delete a service account:

Go to the Service Accounts page.
Identify a service account.
Select the vertical ellipsis ( ) > Delete Account.
Enter the name of the service account.
Select Delete user.

You can also delete the service account and any contributions made by the account. These contributions can include activity such as merge requests, issues, groups, and projects.

Go to the Service Accounts page.
Identify a service account.
Select the vertical ellipsis ( ) > Delete Account and Contributions.
Enter the name of the service account.
Select Delete user and contributions.

You can also delete service accounts through the API.

For instance-level service accounts, use the users API.
For group-level service accounts, use the group service accounts API.

View and manage personal access tokens for a service account

The personal access tokens page displays information about the personal access tokens associated with a service account in your top-level group or instance. From these pages, you can:

Filter, sort, and view details about personal access tokens.
Rotate personal access tokens.
Revoke personal access tokens.

You can also manage personal access tokens for service accounts through the API.

For instance-level service accounts, use the personal access tokens API.
For group-level service accounts, use the group service accounts API.

To view the personal access tokens page for a service account:

Go to the Service Accounts page.
Identify a service account.
Select the vertical ellipsis ( ) > Manage Access Tokens.

Create a personal access token for a service account

To use a service account, you must create a personal access token to authenticate requests.

To create a personal access token for a service account:

Go to the Service Accounts page.
Identify a service account.
Select the vertical ellipsis ( ) > Manage Access Tokens.
Select Add new token.
In Token name, enter a name for the token.
Optional. In Token description, enter a description for the token.
In Expiration date, enter an expiration date for the token.
- The token expires on that date at midnight UTC. A token with the expiration date of 2024-01-01 expires at 00:00:00 UTC on 2024-01-01.
- If you do not enter an expiry date, the expiry date is automatically set to 365 days later than the current date.
- By default, this date can be a maximum of 365 days later than the current date. In GitLab 17.6 or later, you can extend this limit to 400 days.
Select the desired scopes.
Select Create personal access token.

Rotate a personal access token

You can rotate a personal access token to invalidate the current token and generate a new value.

This cannot be undone. Any services that rely on the rotated token will stop working.

To rotate a personal access token for a service account:

Go to the Service Accounts page.
Identify a service account.
Select the vertical ellipsis ( ) > Manage Access Tokens.
Select Rotate.
On the confirmation dialog, select Rotate.

Revoke a personal access token

You can rotate a personal access token to invalidate the current token.

This cannot be undone. Any services that rely on the revoked token will stop working.

To revoke a personal access token for a service account:

Go to the Service Accounts page.
Identify a service account.
Select the vertical ellipsis ( ) > Manage Access Tokens.
Select Revoke.
On the confirmation dialog, select Revoke.

Rate limits

Rate limits apply to service accounts:

On GitLab.com, GitLab.com-specific rate limits apply.
On GitLab Self-Managed and GitLab Dedicated, these rate limits apply:
- Configurable rate limits
- Non-configurable rate limits

Troubleshooting

“You are about to incur additional charges” warning when adding a service account

When you add a service account, you might see a warning message stating that this action will incur additional charges due to exceeding the subscription seat count. This behavior is being tracked in issue 433141.

Adding a service account does not:

Incur additional charges.
Increase your seat usage count after you’ve added the account.

Docs

Edit this page to fix an error or add an improvement in a merge request.

Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.

Propose functionality by submitting a feature request.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.

Try GitLab for free with access to all features for 30 days.

Get help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support