- Requirements
- Configure deployment approvals for a project
- Approve or reject a deployment
- How to see blocked deployments
- Related features
Deployment approvals
It may be useful to require additional approvals before deploying to certain protected environments (for example, production). This pre-deployment approval requirement is useful to accommodate testing, security, or compliance processes that must happen before each deployment.
When a protected environment requires one or more approvals, all deployments to that environment become blocked and wait for the required approvals from the Allowed to Deploy list before running.
Requirements
- Basic knowledge of GitLab Environments and Deployments.
- Basic knowledge of Protected Environments.
Configure deployment approvals for a project
To configure deployment approvals for a project:
Create a deployment job
Create a deployment job in the .gitlab-ci.yaml file of the desired project. The job does not need to be manual (when: manual).
Example:
stages:
- deploy
production:
stage: deploy
script:
- 'echo "Deploying to ${CI_ENVIRONMENT_NAME}"'
environment:
name: ${CI_JOB_NAME}
Require approvals for a protected environment
There are two ways to configure the approval requirements:
- Unified approval setting … You can define who can execute and approve deployments. This is useful when there is no separation of duties between executors and approvers in your organization.
- Multiple approval rules … You can define who can execute or approve deployments. This is useful when there is a separation of duties between executors and approvers in your organization.
Unified approval setting
There are two ways to configure approvals for a protected environment:
- Using the UI
- Set the Required approvals field to 1 or more.
- Using the REST API
- Set the
required_approval_countfield to 1 or more.
- Set the
After this is configured, all jobs deploying to this environment automatically go into a blocked state and wait for approvals before running. Ensure that the number of required approvals is less than the number of users allowed to deploy.
Example:
curl --header 'Content-Type: application/json' --request POST \
--data '{"name": "production", "deploy_access_levels": [{"group_id": 9899826}], "required_approval_count": 1}' \
--header "PRIVATE-TOKEN: <your_access_token>" \
"https://gitlab.example.com/api/v4/projects/22034114/protected_environments"
Multiple approval rules
After this is configured, all jobs deploying to this environment automatically go into a blocked state and wait for approvals before running. Ensure that the number of required approvals is less than the number of users allowed to deploy.
Example:
With this setup:
Using either the GitLab UI or the API, you can:
Prerequisites:
To approve or reject a deployment to a protected environment using the UI:
Prerequisites:
To approve or reject a deployment to a protected environment using the API, pass the
required attributes. For more details, see
Approve or reject a blocked deployment.
Example:
Use the Deployments API to see deployments.
For details about other GitLab features aimed at protecting deployments, see safe deployments.
deploy_access_levels represents which entity can execute the deployment job.
approval_rules represents which entity can approve the deployment job.
curl --header 'Content-Type: application/json' --request POST \
--data '{"name": "production", "deploy_access_levels": [{"group_id": 138}], "approval_rules": [{"group_id": 134}, {"group_id": 135, "required_approvals": 2}]}' \
--header "PRIVATE-TOKEN: <your_access_token>" \
"https://gitlab.example.com/api/v4/groups/128/protected_environments"
group_id: 138) has permission to execute the deployment jobs to the production environment in the organization (group_id: 128).
group_id: 134) and security group (group_id: 135) have permission to approve the deployment jobs to the production environment in the organization (group_id: 128).
Approve or reject a deployment
Approve or reject a deployment using the UI
Approve or reject a deployment using the API
curl --data "status=approved&comment=Looks good to me" \
--header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/deployments/1/approval"
How to see blocked deployments
Using the UI
blocked label.
Using the API
status field indicates if a deployment is blocked.
pending_approval_count field indicates how many approvals are remaining to run a deployment.
approvals field contains the deployment’s approvals.
approval_summary field contains the current approval status per rule.
Related features
Help & feedback
Docs
Edit this page to fix an error or add an improvement in a merge request.Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.Propose functionality by submitting a feature request.
to help shape new features.
Feature availability and product trials
to see all GitLab tiers and features, or to upgrade.with access to all features for 30 days.
Get Help
If you didn't find what you were looking for,
search the docs.
If you want help with something specific and could use community support,
.
For problems setting up or using this feature (depending on your GitLab
subscription).