CNB Docs

English

简体中文

English

简体中文

Appearance

Deploy Key

Copy page

About 334 wordsAbout 1 min

Deploy Keys are read-only credentials used by the CNB platform. They allow for the secure retrieval of repository code or artifacts within CI/CD pipelines and scripts without exposing primary account access keys.

Common Use Cases:

  • Automated scripts fetching code or dependencies.
  • Passwordless repository access (read-only) in CI/CD.
  • Granting least-privilege access for third-party service integrations.

Creating a Deploy Key

Log in and navigate to Organization Settings / Repository Settings / Artifact Settings -> Deploy Keys -> Add Deploy Key.

Configure the following parameters:

  • Token Name: A unique identifier for the token.
  • Expiration: The date after which the token becomes invalid.
  • Scope: Defines the specific permissions and operations authorized for the token.

Once created, the token string will be displayed.

Usage Scenarios

Repository Access

  • Username: cnb
  • Password: The generated Deploy Key

Artifact Library Access

  • Username: cnb
  • Password: The generated Deploy Key

OpenAPI Access

See: Open API

Deploy Keys vs. Access Tokens

  • Read-Only: Deploy Keys are restricted to reading content; they cannot create releases or upload artifacts.
  • Scope Hierarchy: The scope is determined by where the token is created. A token created at the Organization level applies to the entire organization, while tokens created at the Repository or Artifact level are restricted to those specific resources.
  • Ownership: Access tokens are tied to specific user permissions, whereas Deploy Keys are resource-centric and independent of individual user accounts.
  • OpenAPI Calls: Deployment keys can be used to invoke AI-related OpenAPI endpoints. But when using an access token to call these endpoints, the user associated with the token must possess write permissions for the repository.

Default Permission Rules

  • Private Repositories/Artifacts: No permissions by default; scopes must be manually selected.
  • Public Repositories/Artifacts: Read-only access is granted by default.

Important Notes

  • Deploy Keys are not suitable for write operations (e.g., publishing or uploading).
  • Regularly audit token usage and revoke any that are no longer needed.
  • Ensure the correct scope is selected during creation to avoid "Permission Denied" errors.

© 2026 cnb.cool