"HTTP Basic: Access denied" with CI_JOB_TOKEN since a few days

Hello,

a few days ago pulling a private repository from the CI of another repository using the CI_JOB_TOKEN stopped working. I was told nothing was changed in our GitLab configuration or permissions. So we are wondering if something changed for the CI_JOB_TOKEN.

We are using the following line to install a pip package from another private repository:

git+https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/accessio/openmodule/libcontroller@INBOX-1504#egg=arivo-libcontroller

The output is:

  Running command git clone --filter=blob:none --quiet 'https://gitlab-ci-token:****@gitlab.com/accessio/openmodule/libcontroller' /tmp/pip-install-jdl8w55e/arivo-libcontroller_720f4dc7260a40e28d55d4e58698ac10
  remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
  fatal: Authentication failed for 'https://gitlab.com/accessio/openmodule/libcontroller/'
  error: subprocess-exited-with-error

The link does not provide any information for us to find out why it does not work anymore. We also checked the docs here and all looks fine.
An older pipelines which worked fine a few days ago, is now also failing with the same error.

Did something change in GitLab or does anyone have a clue what might be the problem?

Thanks
Thomas

Maybe your token expired. Try generating and using a new one, perhaps one that doesn’t expire?

The error message states that it has problems with the password or token provided, so that would be the best place to start.

When a pipeline job is about to run, GitLab generates a unique token and injects it as the CI_JOB_TOKEN predefined variable.

and

The token is valid only while the pipeline job runs

So the token should be valid.

Sorry, this was no Problem with GibLab. Tox stopped to use the environment variables from the CI and therefore the CI_JOB_TOKEN was not definied when we pulled from our repo. The empty token was displayed as “****”, making us think that the token was not valid.

1 Like