CNB Docs

English

简体中文

English

简体中文
简体中文

Appearance

Deploy Key

Copy page

About 319 wordsAbout 1 min

Deploy Keys are read-only credentials on the CNB platform. They allow secure retrieval of repository code or artifacts in CI/CD pipelines or automated scripts without exposing primary account keys.

Common use cases:

  • Automated scripts fetching code or dependency artifacts
  • Passwordless repository access (read-only) in CI/CD
  • Granting least-privilege access for third-party service integrations

Creating a Deploy Key

Log in and navigate to Organization Settings / Repository Settings / Artifact SettingsDeploy KeysAdd Deploy Key, and configure the following parameters:

  • Token Name: Unique identifier for the token
  • Expiration: Token expiry time; the token becomes unusable after expiration
  • Scope: Permissions authorized for the token

Usage Scenarios

Accessing Code Repositories:

  • Username: cnb
  • Password: The added deploy key

Accessing Artifact Repositories:

  • Username: cnb
  • Password: The added deploy key

Accessing OpenAPI

See: Open API

Deploy Keys vs. Access Tokens

  • Read-Only: Deploy Keys can only read repository or artifact content; they cannot create releases or upload artifacts
  • Scope: Determined by the resource level where the key is created — organization level for the entire organization, repository level for that repository, artifact level for that artifact
  • Ownership: Access tokens are tied to user permissions; deploy keys are resource-centric with no user association
  • OpenAPI Calls: Deploy Keys can invoke AI-related OpenAPI endpoints. Access tokens require the associated user to have repository write permissions for these endpoints

Default Permission Rules

  • Private Repositories/Artifacts: No permissions by default; scopes must be manually selected
  • Public Repositories/Artifacts: Read-only access by default

Important Notes

  • Deploy Keys are not suitable for write operations (e.g., publishing or uploading artifacts)
  • Regularly audit token usage and revoke any that are no longer needed
  • Ensure the correct scope is selected during creation to avoid permission errors due to unchecked defaults
© 2026 cnb.cool