Skip to content
Latchkey

GitLab CI CI/CD Job Token Cross-Project Access Denied

CI_JOB_TOKEN can authenticate to other GitLab projects (clone, packages, API) only if the target project explicitly allows the source project. By default cross-project access is restricted.

What this error means

A job using CI_JOB_TOKEN against another project gets 403 or access denied when cloning, pulling a package, or calling the API.

gitlab-ci
remote: The project you were looking for could not be found or
you don't have permission to view it.
fatal: Authentication failed for 'https://gitlab.example.com/group/dep.git/'

Common causes

Source project not on the target allowlist

Target projects restrict CI job token access; the source project must be added to the inbound allowlist.

Token role too low

The job token inherits limited permissions; the operation may require a higher role than the token has.

Token access disabled entirely

Some projects disable CI job token authentication, blocking all cross-project use.

How to fix it

Add the source project to the allowlist

Configure the target project to accept the CI job token from the source project.

  1. In the target project open Settings then CI/CD then Job token permissions.
  2. Add the source project (or group) to the allowlist.
  3. Re-run the job to confirm access.

Use a clone path that carries the token

Clone via the CI job token URL so authentication is automatic once allowlisted.

.gitlab-ci.yml
script:
  - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.example.com/group/dep.git

How to prevent it

  • Maintain the job token allowlist as cross-project dependencies grow.
  • Prefer the CI job token over long-lived PATs for cross-project access.
  • Document which projects depend on each other via job tokens.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →