GitLab CI "CI_JOB_TOKEN" 403 - Insufficient Job Token Permissions
CI_JOB_TOKEN authenticates a running job to GitLab. By default it is scoped narrowly, so cloning another project, hitting the API, or pulling a package across projects returns 403/401 until access is granted.
What this error means
A job using CI_JOB_TOKEN to clone a second repo, call the API, or pull a package registry fails with 401/403 - even though the token is valid for this project. The token simply is not allowed at the target.
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.com/group/other-repo.git/':
The requested URL returned error: 403Common causes
Target project does not allow this token
Job-token access between projects is restricted by an allowlist. Unless the target project permits the source project, cross-project clone/API/package access is denied.
Operation needs more than read scope
The job token has limited scopes. Some API operations or package actions require permissions the job token is not granted.
How to fix it
Allow the source project in the target
- In the target project, open Settings → CI/CD → Token Access (Job token permissions).
- Add the source project to the allowlist so its
CI_JOB_TOKENis accepted. - Re-run the job; the cross-project clone/API call now authenticates.
Use the token correctly for clones
Clone with the gitlab-ci-token user and the job token over HTTPS.
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.example.com/group/other-repo.gitHow to prevent it
- Maintain the job-token allowlist between projects that share CI access.
- Prefer the job token for in-pipeline access; reserve PATs for what it cannot do.
- Scope any fallback access token to the minimum required permissions.