Skip to content
Latchkey

GitLab CI "fatal: unable to access ... CI_JOB_TOKEN" in CI

A job used $CI_JOB_TOKEN to clone or fetch another project and Git failed with a 403. The token is scoped to the running project; accessing a different project requires that project to allow this one in its job token allowlist.

What this error means

A git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@... step fails with "fatal: unable to access ... The requested URL returned error: 403".

Git / CI_JOB_TOKEN
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.com/group/other-repo.git/': The requested URL returned error: 403

Common causes

The target project does not allow this job token

CI/CD job token access is restricted by default; the target project must add the source project to its allowlist.

The token lacks the needed scope or the repo is wrong

The job token cannot read a project it is not authorized for, or the URL points at a nonexistent path.

How to fix it

Allow the source project in the target's token allowlist

  1. In the target project: Settings > CI/CD > Job token permissions.
  2. Add the source project to the allowlist.
  3. Re-run the clone step.
bash
git clone "https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/group/other-repo.git"

Use a deploy token or PAT for broader access

When job-token scoping is too narrow, a project deploy token or a masked access token with read scope can authenticate the clone.

How to prevent it

  • Configure job token allowlists between projects that clone each other.
  • Prefer deploy tokens for cross-project read access where appropriate.
  • Keep clone URLs pointed at the exact project path.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →