Nexus "403 Forbidden" on deploy (missing privilege) in CI
A 403 from Nexus means the credentials were accepted but the account is not permitted to write to that repository. Unlike 401, retrying with the same user will not help; the role needs the add/edit privilege.
What this error means
The upload authenticates but fails with "status code: 403, reason phrase: Forbidden" for the target repository, while other repositories or read access work for the same user.
[ERROR] Failed to deploy artifacts: Could not transfer artifact
com.example:app:jar:1.2.0 from/to nexus
(https://nexus.example.com/repository/maven-releases/):
status code: 403, reason phrase: Forbidden (403)Common causes
The role lacks the repository add/edit privilege
In Nexus, writing needs nx-repository-view-<format>-<repo>-add and -edit. A read-only role authenticates fine but is forbidden from uploading.
Content selectors restrict the path
A content selector privilege can allow only certain coordinates; a deploy outside that selector is forbidden even though the repo is writable in general.
How to fix it
Grant the add/edit privileges to the CI role
- Open Nexus, Security, Roles, and select the role the CI user belongs to.
- Add the
nx-repository-view-*-<repo>-addand-editprivileges for the target repository. - Re-run the deploy; the same credentials now pass.
# Privileges the CI role needs to deploy to maven-releases:
nx-repository-view-maven2-maven-releases-add
nx-repository-view-maven2-maven-releases-edit
nx-repository-view-maven2-maven-releases-readUse a dedicated CI deploy account
Create a service account whose role holds exactly the write privileges for the repos CI publishes to, and store its password as a secret.
How to prevent it
- Give the CI service account explicit add/edit privileges per repository.
- Keep deploy and read roles separate and least-privilege.
- Review content selectors so CI coordinates are not blocked.