gitlab runner The requested URL returned error: 403

Question

I'm currently using gitlab.com (not local installation) with their multi-runner for CI integration. This works great on one of my projects but fails for another.

I'm using 2012R2 for my host with MSBuild version 14.0.23107.0. I know the error below shows 403 which is an access denied message. My problem is finding the permission setting to change.

Error message:

Running with gitlab-ci-multi-runner 1.5.3 (fb49c47) Using Shell executor... Running on WIN-E0ORPCQUFHS...

Fetching changes...

HEAD is now at 6a70d96 update runner file remote: Access denied fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.com/##REDACTED##/ADInactiveObjectCleanup.git/': The requested URL returned error: 403 Checking out 60ea1410 as Production...

fatal: reference is not a tree: 60ea1410dd7586f6ed9535d058f07c5bea2ba9c7 ERROR: Build failed: exit status 128

gitlab-ci.yml file:

variables:
  Solution: ADInactiveObjectCleanup.sln

before_script:
  #- "echo off"
  #- 'call "%VS120COMNTOOLS%\vsvars32.bat"'
  ## output environment variables (usefull for debugging, propably not what you want to do if your ci server is public)
  #- echo.
  #- set
  #- echo.

stages:
  - build
  #- test
  #- deploy

build:
  stage: build
  script:
  - echo building...
  - '"%ProgramFiles(x86)%\MSBuild\14.0\Bin\msbuild.exe" "%Solution%" /p:Configuration=Release'
  except:
  #- tags

score 47 · Accepted Answer · answered Oct 14 '16 at 03:17

To resolve this issue I had to add myself as a project member. This is a private repo. I'm not sure if that caused the runner to fail with the different permission setup or not, but it is highly possible.

This help article at gitlab outlines this issue.

With the new permission model in place, there may be times that your build will fail. This is most likely because your project tries to access other project's sources, and you don't have the appropriate permissions. In the build log look for information about 403 or forbidden access messages.

As an Administrator, you can verify that the user is a member of the group or project they're trying to have access to, and you can impersonate the user to retry the failing build in order to verify that everything is correct.

From the project page click the settings gear and then click members. Add yourself (or user generating builds) as a member to the project. I used the "Master" Role, but based off of this document you can probably use the "Reporter" role as a minimum. The reporter role is the least privilege that still has access to "Pull project code." This removed my 403 error and allowed me to continue on.

So in the environment variables dump there is an email of the person who started the build. That person's rights will determine the success and failure of certain server side elements? Is that correct? — Warren P, Oct 14 '16 at 13:04
It would never do the environment variable dump for me. If it is unable to clone/pull the runner stops before you get to the 'before_script' block. — Todd S, Oct 14 '16 at 14:11
Oh yes, that is a bit of a failure case. It might be a nice feature to have the gitlab runner config.toml have an option for shell commands that get run when the git clone fails, so you can figure out things like that. — Warren P, Oct 14 '16 at 17:15
Thanks man, could not figure out, why (as admin) could not retry the build process of one of our projects — DZDomi, Feb 22 '18 at 13:34

Calm · Answer 2 · 2022-09-20T14:33:12.817

I also encountered this problem

fatal: unable to access 'http://gitlab-ci-token:xxxx.git':The Requested URL returned error:403
ERROR: Job Failed: command terminated with exit code 1

but it seems that the reason for the above answer is not the same, because my account is an administrator, ci job pulls the project and reports an error 403, because the administrator account is not a project member, added as a project Members will no longer report this error.

ci_build_permissions

score 1 · Answer 3 · edited Oct 03 '20 at 16:06

1

Maybe your ISP ip blocked from GitLab.

Set US DNS on your system and try again.

edited Oct 03 '20 at 16:06

Daniel Walker

6,380
5
22
45

answered Oct 03 '20 at 13:13

sepehr dadgar

45
3

1

Please make use of comments! – Grayrigel Oct 03 '20 at 13:43
1

I use VPN and I had this problem, then, disconnect VPN and try again, it's done! :) – Milad Moetamedi Nia Dec 28 '20 at 19:10
@MiladMoetamediNia :') – sepehr dadgar Mar 09 '21 at 09:51

Vipul Ram · Answer 4 · 2022-07-27T09:12:34.397

I have seen this problem couple of times, it is because you clone using HTTPS. -To read out more about this problem you can read this page

I had faced this problem so I switched to ssh. go to PowerShell and type ssh-keygen keep entering no need to enter any details. then go to the path c://User/*

cd .ssh
cat id.rsa.pub

copy the key and paste it into your GitHub or GitLab profile. and clone the project using ssh.

score 1 · Answer 5 · answered Nov 17 '22 at 03:38

I had this error when reset access_token, then I setup username and password in .git/config with password is new access_token then it works.

[remote "origin"]
    url = https://username:password@gitlab.example.com/myusername/myproject

Source: https://forum.gitlab.com/t/remote-you-are-not-allowed-to-upload-code-403/60153

score 0 · Answer 6 · edited Oct 12 '18 at 09:35

0

This looks like you need to add add a cd command to print current directory to your before_script. Then go fix permissions to access the parent of that folder. If you installed your gitlab runner to c:\glrunner, it is probably c:\glrunner\builds permission you need to fix.

Second problem is you may need to force a fresh git clone by deleting the builds folder.

You may want to change the login credentials for the gitlab runner service to a gitlabuser which should be a non-admin account, which may have fewer priveges than the LOCAL SYSTEM account that your gitlab runner is using by default.

If you want to know who is logged in, add set to your before_script as well, and you'll get an environment variable dump. From that you can see which account is logged in, and where its USERPROFILE is and other things.

edited Oct 12 '18 at 09:35

Michu93

5,058
7
47
80

answered Oct 12 '16 at 23:11

Warren P

65,725
40
181
316

I went through all of your suggestions one at a time to test. It still didn't fix it, but got me looking in the right direction. All of your suggestions allowed me to see that the problems were not with the runner or system it was installed on. The problem existed in project permissions at gitlab.com. I'll post my resolution soon. – Todd S Oct 14 '16 at 02:59
Solving issues on a system not fully under your control is tricky indeed. I'm guessing they need some tooling to help you see and resolve permission issues like this. Is it just as simple as making sure that the runner's `~/.ssh/id_rsa.pub` key is known and accepted to gitlab? – Warren P Oct 14 '16 at 13:03
Even more simple. I had to add myself as a member to a project I already owned... – Todd S Oct 14 '16 at 14:09
That's interesting that you can own something and still be considered a non-member. – Warren P Oct 14 '16 at 17:16

score 0 · Answer 7 · answered Jan 16 '21 at 02:16

Dependent repositories

The Job environment variable CI_JOB_TOKEN can be used to authenticate any clones of dependent repositories. For example:

git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/<user>/<mydependentrepo>.git

It can also be used for system-wide authentication (only do this in a docker container, it will overwrite ~/.netrc):

echo -e "machine gitlab.com\nlogin gitlab-ci-token\npassword ${CI_JOB_TOKEN}" > ~/.netrc

gitlab runner The requested URL returned error: 403

7 Answers7

Linked