Confused with API keys

[fvelcker]

Hi,

I think I am missing something, I am very confused with those API key. I'll try tor explain (from what I understand):

• API keys are per teams
• When creating a project, it needs to be associated to a team, one team only (actually even if there is red star next to the field it doesn't seem mandatory)
• API key from one team can't give access to project from another team

So, I am setting up a CICD pipeline to upload of the SBOM for several different services, to work I have 2 options:

1. I assign the same team to all projects, so I have one API key that can be used the pipeline
2. I assign different teams to projects, so I have to set pipeline to use each different keys accordingly
3. Discovered 3min ago, give ACCESS_MANAGEMENT permission to the API key used by the CI.

With option 1, teams in that case is useless if all projects have the same
With option 2, that could be a lot of keys to manage/maintain
With option 3, i guess would be the way to go, but security wise there is no reason to give that permission ("Allows the management of users, teams, and API keys") to upload SBOMs.

Another confusing but, the team field is only present when creating a new project but it is displayed nowhere in project details and can't be updated (on the UI, I haven't tried via API yet).

As I said, I might be missing something, so any help, idea would be welcome.
Thank you !