Personal Access Token (PAT) Setup Guide
Step-by-step instructions to create PAT tokens for GitHub, Azure DevOps, and GitLab with minimum required permissions
ℹ️Overview
Personal Access Tokens (PATs) are required for CloudCanvas to interact with your repository providers. This guide covers creating PATs for all supported providers with the minimum permissions needed for:
- Repository Creation: Automatically create new repositories for architectures
- Pull Request Creation: Create PRs for code reviews and deployments
- Secret Management: Auto-configure repository secrets from cloud profiles
- Pipeline/Actions Setup: Create and configure CI/CD workflows
GitHub Personal Access Token
Navigate to GitHub Settings
Go to GitHub Settings and click on "Developer settings" in the left sidebar.
Alternatively, navigate directly to: https://github.com/settings/developers
Access Personal Access Tokens
Click on "Personal access tokens" → "Tokens (classic)" or "Fine-grained tokens" (recommended for better security).
Security Note
Fine-grained tokens provide better security with repository-specific permissions. Use classic tokens only if fine-grained tokens are not available for your organization.
Generate New Token
Click "Generate new token" → "Generate new token (classic)" or "Generate new token" for fine-grained tokens.
Configure Token Settings
Note: Give your token a descriptive name (e.g., "CloudCanvas Integration")
Expiration: Set an appropriate expiration date (recommended: 90 days or 1 year)
Select scopes: Check the following permissions:
Required Permissions (Classic Token):
- repo (Full control of private repositories) - Required for:
- • Creating repositories
- • Creating pull requests
- • Pushing code
- • Managing repository settings
- workflow - Required for:
- • Creating and updating GitHub Actions workflows
- • Managing workflow files
- admin:repo_hook (Optional but recommended) - For:
- • Managing webhooks
Required Permissions (Fine-grained Token):
- Repository access: Select specific repositories or "All repositories"
- Repository permissions:
- • Contents: Read and write
- • Metadata: Read-only (automatic)
- • Pull requests: Read and write
- • Secrets: Read and write (for auto-configuring secrets)
- • Actions: Read and write (for workflow management)
Generate and Copy Token
Click "Generate token" at the bottom of the page. Important: Copy the token immediately as it will only be shown once.
Security Warning
Store this token securely. If you lose it, you'll need to generate a new one. Never commit tokens to version control.
Azure DevOps Personal Access Token
Navigate to User Settings
Go to Azure DevOps and sign in. Click on your profile picture in the top right corner, then select "Personal access tokens".
Direct link: https://dev.azure.com/[YourOrganization]/_usersSettings/tokens
Create New Token
Click "+ New Token" to create a new personal access token.
Configure Token Details
Name: Enter a descriptive name (e.g., "CloudCanvas Integration")
Organization: Select your Azure DevOps organization
Note: When configuring in CloudCanvas, use only the organization name (e.g., cloudslize), not the full URL. The project name is specified separately.
Expiration: Set expiration date (recommended: 90 days)
Scopes: Select the following scopes:
Required Scopes:
- Code (Read & Write): Required for:
- • Creating repositories
- • Pushing code
- • Creating pull requests
- • Managing branches
- Build (Read & Execute): Required for:
- • Creating and managing Azure Pipelines
- • Viewing build status
- Project and Team (Read): Required for:
- • Accessing project information
- • Listing repositories
- Variable Groups (Read & Manage): Required for:
- • Auto-configuring repository secrets
- • Managing variable groups
Create and Copy Token
Click "Create". Copy the token immediately - it will only be displayed once.
Security Warning
Store this token securely. Azure DevOps tokens cannot be viewed again after creation.
GitLab Personal Access Token
Navigate to Access Tokens
Go to GitLab and sign in. Click on your profile picture in the top right, then select "Preferences" → "Access Tokens".
Direct link: https://gitlab.com/-/user_settings/personal_access_tokens
Create New Token
Fill in the token details:
- Token name: Enter a descriptive name (e.g., "CloudCanvas Integration")
- Expiration date: Set an expiration date (optional, recommended: 90 days)
Select Scopes
Check the following scopes:
Required Scopes:
- api: Complete read/write access to the API - Required for:
- • Creating repositories
- • Creating merge requests (PRs)
- • Managing repository settings
- • Full API access
- write_repository: Required for:
- • Pushing code
- • Creating branches
- • Managing files
- read_repository: Required for:
- • Reading repository content
- • Cloning repositories
- write_registry: (Optional) For container registry operations
Note: The api scope includes most permissions needed. For GitLab CI/CD, ensure your GitLab instance has CI/CD enabled.
Create and Copy Token
Click "Create personal access token". Copy the token immediately - it will only be shown once.
Security Warning
Store this token securely. GitLab tokens cannot be viewed again after the page is refreshed.
Permission Summary Table
| Feature | GitHub | Azure DevOps | GitLab |
|---|---|---|---|
| Create Repository | repo (Full control) | Code (Read & Write) | api, write_repository |
| Create Pull Request | repo (Full control) | Code (Read & Write) | api, write_repository |
| Auto-configure Secrets | repo (Full control) or Secrets (Read & Write) | Variable Groups (Read & Manage) | api |
| Create Pipeline/Actions | workflow (Read & Write) | Build (Read & Execute) | api (includes CI/CD) |
| Push Code | repo (Full control) | Code (Read & Write) | write_repository |
Security Best Practices
- Use minimum required permissions: Only grant the permissions needed for CloudCanvas operations
- Set expiration dates: Regularly rotate tokens (recommended: every 90 days)
- Store tokens securely: Never commit tokens to version control or share them publicly
- Use fine-grained tokens when available: GitHub fine-grained tokens provide better security
- Monitor token usage: Regularly review active tokens and revoke unused ones
- Use organization-level tokens when possible: For team environments, consider using service accounts
Troubleshooting
Token not working?
- • Verify the token hasn't expired
- • Check that all required permissions are granted
- • Ensure the token hasn't been revoked
- • For GitHub, verify organization policies allow the token
Repository creation fails?
- • Verify the token has repository creation permissions
- • Check organization/group settings allow repository creation
- • Ensure you have sufficient quota/limits
Secrets not auto-configuring?
- • Verify token has secrets/variables write permissions
- • Check repository/organization settings allow secret management
- • For Azure DevOps, ensure Variable Groups permissions are granted
Pipeline/Actions not creating?
- • Verify workflow/pipeline permissions are granted
- • Check that CI/CD is enabled in your repository/organization
- • Ensure the token has write access to workflow files
Important: Azure DevOps Organization Format
✅ Correct Format
When configuring Azure DevOps in CloudCanvas Cloud Profile, use only the organization name:
cloudslizeThe project name (e.g., "Cloud Canvas") is specified separately in the "Project" field.
❌ Incorrect Formats (Do Not Use)
- ✗
https://dev.azure.com/cloudslizeFull URL - includes protocol and domain
- ✗
https://dev.azure.com/cloudslize/Cloud%20CanvasIncludes project name - project should be in separate field
💡 Why? CloudCanvas constructs the full Azure DevOps URL internally. You only need to provide the organization identifier (e.g., cloudslize). The project name is managed separately to allow flexibility in repository creation across different projects.
🚀 What's Next?
Now that you have your PAT token, you can configure it in CloudCanvas: