Artifactory "403 Forbidden" deploy permission in CI
Artifactory accepted the credentials (so it is not a 401) but the authenticated principal is not permitted to deploy to that repository or path. 403 will not clear on retry; it is a permissions problem.
What this error means
A publish or upload step fails with HTTP 403 and a message like "User is not permitted to deploy" or "Forbidden" for the PUT to the target repo path.
Uploading to https://mycompany.jfrog.io/artifactory/libs-release-local/com/acme/app/1.0.0/app-1.0.0.jar
Received status code 403 (Forbidden) from server: {
"errors" : [ { "status" : 403, "message" : "User acme-ci is not permitted to deploy 'com/acme/app/1.0.0/app-1.0.0.jar' ..." } ]
}Common causes
The CI user has read but not deploy permission
The permission target grants the token read on the repo but not the Deploy/Cache action, so uploads are refused.
A path exclusion or wrong target repository
The permission target scopes to specific paths, or the deploy targets a virtual/remote repo instead of the local repo that accepts writes.
How to fix it
Grant Deploy on the correct local repository
- In Artifactory Admin, open the permission target covering the target repo.
- Add the CI user or group with the Deploy/Cache action.
- Confirm the deploy targets the
-localrepository, not a virtual one.
Point the deploy at the writable repo
Virtual repos aggregate for reads; deploy to the backing local repo defined as the virtual repo's default deployment target.
<distributionManagement>
<repository>
<id>artifactory</id>
<url>https://mycompany.jfrog.io/artifactory/libs-release-local</url>
</repository>
</distributionManagement>How to prevent it
- Give CI service accounts an explicit Deploy permission target, not just read.
- Deploy to
-localrepositories, never to virtual or remote ones. - Review path exclusions on the permission target when adding new coordinates.