Gitlab runner token vs runner registration token (gitlab.com)

^ in title

In each project’s piplines page there’s a “runner registration token” you can use to associate the runner with project.

But in the /etc/gitlab-runner/config.toml there’s also an entry call “token” which I believe is “runner token”

So what’s the difference, where does the “runner token” in the config come from? We’re using terraform to automate gitlab runner deployment. Which “token” should I use in the config token section?

Registration tokens are used to create runner tokens.

The former are available at instance, group and project level so you may share runners across the instance, group or have dedicated runners for a project.

The runner token is used to authenticate and authorize. I.e. the runner is usable by a project, a group or all projects of an instance.

You may easily revoke a single runner‘s token without invalidating other tokens. This is e.g. useful when a runner is compromised.

Additionally you may use this for resource sharing: buy a big machine, set it‘s overall limit to 32 parallel runs and create 8 runner tokens for 8 different groups, restrict the parallelism of each token to 4 concurrent runs.

2 Likes

I know it’s a very old thread, but I’ll give it a try anyway…

I’m deploying a K8s executor that I’d like to redeploy regularly.

Is it possible to register it once and reuse the same runner token on each redeployment?

Or do I need to register it anew each time? It would require a clean-up of the previous instance each time!

You may create a runner token via API once from your local workstation and use that one to directly setup the runner. We store the created runner token in Vault and do a lookup from Puppet.
When always re-registering the runner you actually create new runners all the time, I.e. you need to re-add labels to then as well.