According to the documentation, it should be possible to access GitLab repos with project access tokens : The username is set to project_{project_id}_bot, such as project_123_bot. Never mind that that's a lie -- the actual user is called project_4194_bot1 in my case; apparently they increment a number for subsequent tokens. Either way -- and I have tried both with and without the trailing 1 -- I would expect git clone "https://project_4194_bot1:$PROJECT_TOKEN@my.gitlab.host/my-group/my-project.git" to succeed, same as with my.username:$PERSONAL_TOKEN (which works perfectly). However, I get remote: HTTP Basic: Access denied fatal: Authentication failed for '<snip>' What may be going on here? How can I access GitLab repositories using project access tokens? It's not as if we'd get that far, but FWIW, the token seems to have sufficient permissions:

It seems that using the project name as username works. In your case replacing project_4194_bot1 with my-project should work: git clone "https://my-project:$PROJECT_TOKEN@my.gitlab.host/my-group/my-project.git" EDIT: One can actually use any non-blank value as a username (see docs ), as others correctly pointed out.

gitauthenticationgitlab

Raphael

Reputation: 10549

Access GitLab repo with project access token

According to the documentation, it should be possible to access GitLab repos with project access tokens:

The username is set to project_{project_id}_bot, such as project_123_bot.

Never mind that that's a lie -- the actual user is called project_4194_bot1 in my case; apparently they increment a number for subsequent tokens.

Either way -- and I have tried both with and without the trailing 1 -- I would expect

git clone "https://project_4194_bot1:[email protected]/my-group/my-project.git"

to succeed, same as with my.username:$PERSONAL_TOKEN (which works perfectly). However, I get

remote: HTTP Basic: Access denied
fatal: Authentication failed for '<snip>'

What may be going on here? How can I access GitLab repositories using project access tokens?

It's not as if we'd get that far, but FWIW, the token seems to have sufficient permissions:

Upvotes: 43

Answers (6)

Tulleb

Reputation: 9186

Also on GitLab you need to setup your token as a Developer in order to clone the repository. The Guest role is not sufficient and will lead to a 403 error even if you have the read_repository right.

Upvotes: 2

rob_7cc

Reputation: 917

Here's some additional valuable information about using the token as an environment variable vs. a literal, and how to use a (literal) GitLab token inside a Python/pip requirements.txt file.

In the above answers, the syntax $PROJECT_TOKEN (dollar sign prefix) assumes you have an environment variable named PROJECT_TOKEN set to the literal token string. If you want to use the literal token string directly in the git command, omit the dollar sign (this is "Shell 101" but it's worth mentioning):

git clone https://USER:[email protected]/my-group/my-project.git

...where USER can be anything (as noted by @rafael-wo above) and replace LITERAL_TOKEN_STRING with the literal project access token string.

Additional Notes...

In general, you are encouraged to use environment variables but I'm including the syntax to use literal token strings for those who are interested...and because literal tokens can be used with Python/pip requirements.txt files as explained next...
You can use literal GitLab Project Access Tokens inside requirements.txt files (Python/pip). Note that pip install -r does not expand environment variables when reading from a requirements file, so you'll need to use a literal token string inside your requirements file. If you need to use an environment variable in this situation, wrap the call to pip install -r inside a top-level shell script. Also, you need to explicitly state a name for the installed package using the #egg argument. Here's an example line that works inside a requirements.txt file, using a literal token string (again, USER can be anything):

-e git+https://USER:[email protected]/my-group/my-project.git#egg=my_project
If you are using gitlab.com (not hosting your own GitLab server), then use gitlab.com in the above commands (instead of my.gitlab.host)

Upvotes: 0

The Creator From Gallifrey

Reputation: 1

I had a similar problem: I couldn't figure out how to access my repo from a client without giving it my password. The solution that worked for me was using the URL in the following format:

https://<token name>:<token>@gitlab.address/group/project.git

Note that any other format will not work. For details, I was using argocd and attempting to continuously deploy a private repo's files. Hope this helps!

Upvotes: 0

Rafael-WO

Reputation: 1630

It seems that using the project name as username works. In your case replacing project_4194_bot1 with my-project should work:

git clone "https://my-project:[email protected]/my-group/my-project.git"

EDIT: One can actually use any non-blank value as a username (see docs), as others correctly pointed out.

Upvotes: 68

Gavin Uberti

Reputation: 461

From the GitLab documentation:

With Git, when using HTTP Basic Authentication, use:

Any non-blank value as a username.

The project access token as the password.

In previous GitLab versions, it would have been necessary to use project_4194_bot1 as the username. However, the current version lets you use any username you wish:

git clone "https://anything:[email protected]/my-group/my-project.git"

Upvotes: 12

Janner

Reputation: 11

I've found that depending on the git version The 'user' can be left empty or a random string if the token is a project access token.

git clone "https://<$USER>:[email protected]/my-group/my-project.git"

Upvotes: 0

Access GitLab repo with project access token

Answers (6)

Related Questions