Deployment approvals
DETAILS: Tier: Premium, Ultimate Offering: SaaS, self-managed
- Introduced in GitLab 14.7 with a flag named
deployment_approvals
. Disabled by default.- Generally available in GitLab 14.8. Feature flag
deployment_approvals
removed.
You can require additional approvals for deployments to protected environments. Deployments are blocked until all required approvals are given.
Use deployment approvals to accommodate testing, security, or compliance processes. For example, you might want to require approvals for deployments to production environments.
Configure deployment approvals
You can require approvals for deployments to protected environments in a project.
Prerequisites:
- To update an environment, you must have at least the Maintainer role.
To configure deployment approvals for a project:
-
Create a deployment job in the
.gitlab-ci.yml
file of your project:stages: - deploy production: stage: deploy script: - 'echo "Deploying to ${CI_ENVIRONMENT_NAME}"' environment: name: ${CI_JOB_NAME} action: start
The job does not need to be manual (
when: manual
). -
Add the required approval rules.
The environments in your project require approval before deployment.
Add multiple approval rules
- Introduced in GitLab 14.10 with a flag named
deployment_approval_rules
. Disabled by default.- Generally available in GitLab 15.0. Feature flag
deployment_approval_rules
removed.- UI configuration introduced in GitLab 15.11.
Add multiple approval rules to control who can approve and execute deployment jobs.
To configure multiple approval rules, use the CI/CD settings. You can also use the API.
All jobs deploying to the environment are blocked and wait for approvals before running. Make sure the number of required approvals is less than the number of users allowed to deploy.
After a deployment job is approved, you must run the job manually.
Unified approval setting (deprecated)
- UI configuration removed in GitLab 15.11.
WARNING: This feature was deprecated in GitLab 16.1 and is planned for removal in 17.0. Use multiple approval rules instead. This change is a breaking change.
To configure approvals for a protected environment:
- Using the REST API,
set the
required_approval_count
field to 1 or more.
After this setting is configured, all jobs deploying to this environment automatically go into a blocked state and wait for approvals before running. Ensure that the number of required approvals is less than the number of users allowed to deploy.
Example:
curl --header 'Content-Type: application/json' --request POST \
--data '{"name": "production", "deploy_access_levels": [{"group_id": 9899826}], "required_approval_count": 1}' \
--header "PRIVATE-TOKEN: <your_access_token>" \
"https://gitlab.example.com/api/v4/projects/22034114/protected_environments"
Migrate to multiple approval rules
You can migrate a protected environment from unified approval rules to multiple approval rules. Unified approval rules allow all entities that can deploy to an environment to approve deployment jobs. To migrate to multiple approval rules, create a new approval rule for each entity allowed to deploy to the environment.
To migrate to multiple approval rules:
- On the left sidebar, select Search or go to and find your project.
- Select Settings > CI/CD.
- Expand Protected environments.
- From the Environment list, select your environment.
- For each entity allowed to deploy to the environment:
- Select Add approval rules.
- On the dialog, select which entity is allowed to approve the deployment job.
- Enter the number of required approvals.
- Select Save.
Each deployment requires the specified number of approvals from each entity.
For example, the Production
environment below requires five total approvals,
and allows deployments from only the group Very Important Group
and the user
Administrator
:
To migrate, create rules for the Very Important Group
and Administrator
. To
preserve the number of required approvals, set the number of required approvals
for Very Important Group
to four and Administrator
to one. The new rules
require Administrator
to approve every deployment job in Production
.
Allow self-approval
- Introduced in GitLab 15.8.
- Automatic approval removed in GitLab 16.2 due to usability issues.
By default, the user who triggers a deployment pipeline can't also approve the deployment job.
A GitLab administrator can approve or reject all deployments.
To allow self-approval of a deployment job:
- On the left sidebar, select Search or go to and find your project.
- Select Settings > CI/CD.
- Expand Protected environments.
- From the Approval options, select the Allow pipeline triggerer to approve deployment checkbox.
Approve or reject a deployment
- Introduced in GitLab 14.9
In an environment with multiple approval rules, you can:
- Approve a deployment to allow it to proceed.
- Reject a deployment to prevent it.
Prerequisites:
- You have permission to deploy to the protected environment.
To approve or reject a deployment:
- On the left sidebar, select Search or go to and find your project.
- Select Operate > Environments.
- Select the environment's name.
- In the deployment's row, select Approval options ({thumb-up}). Before you approve or reject the deployment, you can view the deployment's approval details.
- Optional. Add a comment which describes your reason for approving or rejecting the deployment.
- Select Approve or Reject.
You can also use the API.
View the approval details of a deployment
Prerequisites:
- You have permission to deploy to the protected environment.
A deployment to a protected environment can proceed only after all required approvals have been granted.
To view the approval details of a deployment:
- On the left sidebar, select Search or go to and find your project.
- Select Operate > Environments.
- Select the environment's name.
- In the deployment's row, select Approval options ({thumb-up}).
The approval status details are shown:
- Eligible approvers
- Number of approvals granted, and number of approvals required
- Users who have granted approval
- History of approvals or rejections
View blocked deployments
Review the status of your deployments, including whether a deployment is blocked.
To view your deployments:
- On the left sidebar, select Search or go to and find your project.
- Select Operate > Environments.
- Select the environment being deployed to.
A deployment with the blocked label is blocked.
To view your deployments, you can also use the API.
The status
field indicates whether a deployment is blocked.