GitLab CI "fatal: unable to access ... CI_JOB_TOKEN" in CI
A job used $CI_JOB_TOKEN to clone or fetch another project and Git failed with a 403. The token is scoped to the running project; accessing a different project requires that project to allow this one in its job token allowlist.
What this error means
A git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@... step fails with "fatal: unable to access ... The requested URL returned error: 403".
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.com/group/other-repo.git/': The requested URL returned error: 403Common causes
The target project does not allow this job token
CI/CD job token access is restricted by default; the target project must add the source project to its allowlist.
The token lacks the needed scope or the repo is wrong
The job token cannot read a project it is not authorized for, or the URL points at a nonexistent path.
How to fix it
Allow the source project in the target's token allowlist
- In the target project: Settings > CI/CD > Job token permissions.
- Add the source project to the allowlist.
- Re-run the clone step.
git clone "https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/group/other-repo.git"Use a deploy token or PAT for broader access
When job-token scoping is too narrow, a project deploy token or a masked access token with read scope can authenticate the clone.
How to prevent it
- Configure job token allowlists between projects that clone each other.
- Prefer deploy tokens for cross-project read access where appropriate.
- Keep clone URLs pointed at the exact project path.