Deploy Key
About 267 wordsLess than 1 minute
Deploy Keys are read-only credentials on the CNB platform. They allow secure retrieval of repository code or artifacts in CI/CD pipelines or automated scripts without exposing primary account keys.
Creating a Deploy Key
Log in and navigate to Organization Settings / Repository Settings / Artifact Settings → Deploy Keys → Add Deploy Key to configure the following parameters:
- Token Name: Unique identifier for the token
- Expiration: Token expiry time; the token becomes unusable after expiration
- Scope: Permissions authorized for the token
Usage
Accessing Code Repositories:
- Username:
cnb - Password: The added deploy key
Accessing Artifact Repositories:
- Username:
cnb - Password: The added deploy key
Accessing OpenAPI
See: Open API
Deploy Keys vs. Access Tokens
| Aspect | Deploy Keys | Access Tokens |
|---|---|---|
| Permissions | Read-only | Configurable read/write or read-only |
| Scope | Determined by the resource level where the key is created | Tied to user permissions |
| User association | No user association, resource-centric only | Tied to user, inherits user permissions |
| OpenAPI | Can invoke AI-related endpoints | Requires repo write permission [¹] |
[¹] The associated user must have repository write permissions.
Default Permission Rules
- Private Repositories/Artifacts: No permissions by default; scopes must be manually selected
- Public Repositories/Artifacts: Read-only access by default
Important Notes
- Deploy Keys are not suitable for write operations (e.g., publishing or uploading artifacts)
- Regularly audit token usage and promptly revoke any that are no longer needed
- Ensure the correct scope is selected during creation to avoid permission errors due to unchecked defaults