1

I'm in the process of migrating our internal GitLab-CE to GitLab-EE. When checking that CI pipelines work correctly, I noticed that the ones that clone repositories using CI_JOB_TOKEN did not work. After some debugging I managed track down the error to the actually git clone command. The command does not work if the access token is part of the clone URL. To test my hypothesis, I created a personal access token and tried to clone a repository using command git clone https:\\myusername:[email protected]/myusername/project1.git. The command fails with Authentication error (403 from gitlab nginx).

when I run the same command in interactive mode: git clone https:\\[email protected]/myusername/project1.git and use my access token as password when I'm prompted the command works fine.

Any idea what the problem is. Is there some configuration setting that disallows the use of passwords/tokens as part of the URL.

P.S. Our server is using self-signed certificate at the moment, but I don't think that's the problem since the second command works fine.

Improve this question
4
  • From the answers to this question, it seems that you need the token name, not your username. stackoverflow.com/questions/25409700/… Commented Feb 17, 2022 at 12:15
  • @FedericoNafria Yes, for the actualy ci job token I use the toke name, which is gitlab-ci-token. For the personal access token one uses username. Nevertheless the problem is present with project access tokens also. Commented Feb 17, 2022 at 13:03
  • Maybe the problem is that the string is getting parsed somehow? Because of $ or something else, try putting it between '. Commented Feb 17, 2022 at 14:10
  • @FedericoNafria I tried using ´'´ and ´"´. First did not work at all, and the second one had the same error. Commented Feb 18, 2022 at 8:22

1 Answer 1

Reset to default
1

After some testing and googling I managed to find a workaround. Using a shell script in combination with environmental variable, the pipeline now works with following steps (.gitlab-ci.yml):

script:
  - echo 'echo $CI_JOB_TOKEN' > ~./.git-askpass
  - chmod +x ~./.git-askpass
  - export GIT_ASKPASS=~./.git-askpass
  - git clone https:\\[email protected]/myusername/project1.git

Now when git clone command prompts for password for user gitlab-ci-token, the script is executed and output is used as password/token.

It is interesting why I couldn't get this to work without this workaround considering the official documentation uses the token as part of the url (https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#gitlab-cicd-job-token), and since it was working on the older gitlab installation (old was 13.7.3 CE and new is 14.7.0 EE).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.