GitLab CI CI/CD Job Token Cross-Project Access Denied
CI_JOB_TOKEN can authenticate to other GitLab projects (clone, packages, API) only if the target project explicitly allows the source project. By default cross-project access is restricted.
What this error means
A job using CI_JOB_TOKEN against another project gets 403 or access denied when cloning, pulling a package, or calling the API.
remote: The project you were looking for could not be found or
you don't have permission to view it.
fatal: Authentication failed for 'https://gitlab.example.com/group/dep.git/'Common causes
Source project not on the target allowlist
Target projects restrict CI job token access; the source project must be added to the inbound allowlist.
Token role too low
The job token inherits limited permissions; the operation may require a higher role than the token has.
Token access disabled entirely
Some projects disable CI job token authentication, blocking all cross-project use.
How to fix it
Add the source project to the allowlist
Configure the target project to accept the CI job token from the source project.
- In the target project open Settings then CI/CD then Job token permissions.
- Add the source project (or group) to the allowlist.
- Re-run the job to confirm access.
Use a clone path that carries the token
Clone via the CI job token URL so authentication is automatic once allowlisted.
script:
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.example.com/group/dep.gitHow to prevent it
- Maintain the job token allowlist as cross-project dependencies grow.
- Prefer the CI job token over long-lived PATs for cross-project access.
- Document which projects depend on each other via job tokens.