Packer "Failed to install plugin" 403/401 in CI
packer init downloads plugin releases from GitHub. Unauthenticated CI runners hit the low anonymous rate limit and get a 403, or a private mirror returns 401, so the plugin never installs.
What this error means
packer init fails with "Error: Failed to install plugin" and an HTTP 403 (rate limited) or 401 (unauthorized) from the plugin download URL.
Error: Failed to install plugin github.com/hashicorp/amazon latest
error getting release: GET https://api.github.com/repos/hashicorp/packer-plugin-amazon/releases:
403 API rate limit exceeded for <ip>.Common causes
Anonymous GitHub API rate limit
A shared CI IP exhausts the low unauthenticated GitHub API quota, so the release lookup returns 403 before the plugin downloads.
A private plugin registry rejects the request
When init points at a private or mirrored registry, a missing or wrong token returns 401.
How to fix it
Authenticate the plugin download
Set a GitHub token so packer init uses the higher authenticated rate limit.
env:
PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- run: packer init .Cache plugins to avoid repeat downloads
Persist the plugin directory so most jobs never call the GitHub API at all.
- uses: actions/cache@v4
with:
path: ~/.config/packer/plugins
key: packer-plugins-${{ hashFiles('**/*.pkr.hcl') }}How to prevent it
- Set
PACKER_GITHUB_API_TOKENin CI to raise the rate limit. - Cache the plugin directory so downloads happen rarely.
- Pin plugin versions so init fetches a known release, not "latest".