Skip to content
Latchkey

Packer "Failed to install plugin" 403/401 in CI

packer init downloads plugin releases from GitHub. Unauthenticated CI runners hit the low anonymous rate limit and get a 403, or a private mirror returns 401, so the plugin never installs.

What this error means

packer init fails with "Error: Failed to install plugin" and an HTTP 403 (rate limited) or 401 (unauthorized) from the plugin download URL.

packer
Error: Failed to install plugin github.com/hashicorp/amazon latest

	error getting release: GET https://api.github.com/repos/hashicorp/packer-plugin-amazon/releases:
	403 API rate limit exceeded for <ip>.

Common causes

Anonymous GitHub API rate limit

A shared CI IP exhausts the low unauthenticated GitHub API quota, so the release lookup returns 403 before the plugin downloads.

A private plugin registry rejects the request

When init points at a private or mirrored registry, a missing or wrong token returns 401.

How to fix it

Authenticate the plugin download

Set a GitHub token so packer init uses the higher authenticated rate limit.

.github/workflows/build.yml
env:
  PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
  - run: packer init .

Cache plugins to avoid repeat downloads

Persist the plugin directory so most jobs never call the GitHub API at all.

.github/workflows/build.yml
- uses: actions/cache@v4
  with:
    path: ~/.config/packer/plugins
    key: packer-plugins-${{ hashFiles('**/*.pkr.hcl') }}

How to prevent it

  • Set PACKER_GITHUB_API_TOKEN in CI to raise the rate limit.
  • Cache the plugin directory so downloads happen rarely.
  • Pin plugin versions so init fetches a known release, not "latest".

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →