diff --git a/config/feature_flags/development/deploy_key_for_protected_tags.yml b/config/feature_flags/development/deploy_key_for_protected_tags.yml
new file mode 100644
index 0000000000000000000000000000000000000000..48192a818996dcd8b411fa526cc9c70407d74a2b
--- /dev/null
+++ b/config/feature_flags/development/deploy_key_for_protected_tags.yml
@@ -0,0 +1,8 @@
+---
+name: deploy_key_for_protected_tags
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/110238
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/389237
+milestone: '15.9'
+type: development
+group: group::source code
+default_enabled: false
diff --git a/lib/gitlab/deploy_key_access.rb b/lib/gitlab/deploy_key_access.rb
index ca16582d2b4fd3aa50e469bb748ab20e8a69aacf..a582c978be7f8f635787dfe042d6a19f2ff1ab0a 100644
--- a/lib/gitlab/deploy_key_access.rb
+++ b/lib/gitlab/deploy_key_access.rb
@@ -17,11 +17,14 @@ def can_push_for_ref?(ref)
     attr_reader :deploy_key
 
     def protected_tag_accessible_to?(ref, action:)
-      assert_project!
-
-      # a deploy key can always push a protected tag
-      # (which is not always the case when pushing to a protected branch)
-      true
+      if Feature.enabled?(:deploy_key_for_protected_tags, project)
+        super
+      else
+        assert_project!
+        # a deploy key can always push a protected tag
+        # (which is not always the case when pushing to a protected branch)
+        true
+      end
     end
 
     def can_collaborate?(_ref)
diff --git a/spec/lib/gitlab/deploy_key_access_spec.rb b/spec/lib/gitlab/deploy_key_access_spec.rb
index 83b97c8ba25dcaa70a299191b0f828fea19a321e..e32858cc13f84dfc19f87133eb87afb039c7c56e 100644
--- a/spec/lib/gitlab/deploy_key_access_spec.rb
+++ b/spec/lib/gitlab/deploy_key_access_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::DeployKeyAccess do
+RSpec.describe Gitlab::DeployKeyAccess, feature_category: :source_code_management do
   let_it_be(:user) { create(:user) }
   let_it_be(:deploy_key) { create(:deploy_key, user: user) }
 
@@ -17,10 +17,30 @@
   end
 
   describe '#can_create_tag?' do
+    let!(:protected_tag) { create(:protected_tag, :no_one_can_create, project: project, name: 'v*') }
+
+    context 'when no-one can create tag' do
+      it 'returns false' do
+        expect(access.can_create_tag?('v0.1.2')).to be_falsey
+      end
+
+      context 'when deploy_key_for_protected_tags FF is disabled' do
+        before do
+          stub_feature_flags(deploy_key_for_protected_tags: false)
+        end
+
+        it 'allows to push the tag' do
+          expect(access.can_create_tag?('v0.1.2')).to be_truthy
+        end
+      end
+    end
+
     context 'push tag that matches a protected tag pattern via a deploy key' do
-      it 'still pushes that tag' do
-        create(:protected_tag, project: project, name: 'v*')
+      before do
+        create(:protected_tag_create_access_level, protected_tag: protected_tag, deploy_key: deploy_key)
+      end
 
+      it 'allows to push the tag' do
         expect(access.can_create_tag?('v0.1.2')).to be_truthy
       end
     end