Skip to content
Latchkey

Tekton git-clone step "authentication required" in CI

The git-clone step tried to fetch a private repository and the server demanded credentials it did not have. Tekton injects git auth from a Secret annotated with tekton.dev/git that is linked to the run ServiceAccount.

What this error means

A git-clone TaskRun step fails with "fatal: could not read Username" or "remote: HTTP Basic: Access denied" / "authentication required".

Tekton
fatal: Authentication failed for 'https://git.example.com/org/repo.git/'
remote: authentication required

Common causes

No git-credentials secret is linked to the ServiceAccount

Tekton only injects git auth from a basic-auth Secret annotated with tekton.dev/git-0 that is referenced by the run ServiceAccount.

The annotation host does not match the repo

The tekton.dev/git-0 annotation points at a different host than the repository URL, so Tekton does not use the credential.

How to fix it

Create an annotated git-credentials secret

Create a basic-auth Secret with the tekton.dev/git annotation and link it to the ServiceAccount.

git-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: git-creds
  annotations:
    tekton.dev/git-0: https://git.example.com
type: kubernetes.io/basic-auth
stringData:
  username: ci-bot
  password: $GIT_TOKEN

Link the secret to the run ServiceAccount

Add the secret to the ServiceAccount so Tekton injects it into the git-clone step.

Terminal
kubectl patch serviceaccount build-bot -n ci \
  -p '{"secrets":[{"name":"git-creds"}]}'

How to prevent it

  • Annotate git secrets with tekton.dev/git-0 matching the repo host.
  • Link the secret to the ServiceAccount the run uses.
  • Store the git token as a Secret, never inline in the manifest.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →