116

Today I've enabled Gitlab's 2nd-factor authentication. After that, since I logged in the Gitlab website, I need to use my cell phone to pass a 6-digits plus my password, that's good, it makes me feel safe.

However, when I use the general operations, for example git clone some-repo.git, I got the error:

Cloning into 'some-repo'...
remote: HTTP Basic: Access denied
remote: You must use a personal access token with 'api' scope for Git over HTTP.
remote: You can generate one at https://gitlab.com/profile/personal_access_tokens
fatal: Authentication failed for 'some-repo.git'

Then I try existing cloned local repo, using git pull, the same error occurs. Before I enabled the 2nd-factor authentication, all the above operation worked fine.

Flowing the above error's instructions, I went to the mentioned address: https://gitlab.com/profile/personal_access_tokens. I created the following token, and save the token's key.

enter image description here

However, I don't know what to do with this key. Can someone tell me how to use this key to enable the basic operations like git pull, git clone, git push etc...

Edit

I had many repos on local before I enabled the 2nd-factor authentication. I want these to work too.

Community
  • 1
  • 1
an offer can't refuse
  • 4,245
  • 5
  • 30
  • 50

6 Answers6

236

As explained in using gitlab token to clone without authentication, you can clone a GitLab repo using your Personal Access Token like this:

git clone https://oauth2:ACCESS_TOKEN@gitlab.com/yourself/yourproject.git

As for how to update your existing clones to use the GitLab Personal Access Token, you should edit your .git/config file in each local git directory, which will have an entry something like this:

[remote "origin"]
    url = https://yourself@gitlab.com/yourself/yourproject.git

Change the url:

[remote "origin"]
    url = https://oauth2:ACCESS_TOKEN@gitlab.com/yourself/yourproject.git

Now you can continue using this existing git clone as you did before you enabled 2FA.

John Zwinck
  • 239,568
  • 38
  • 324
  • 436
  • 10
    +1000. Searched all the web for 2 hours. This worked for me! Thanks a lot – Abadis Apr 09 '19 at 18:52
  • yeah this works to me as well! thank you very much! – KD.S.T. Apr 17 '19 at 06:42
  • 2
    what if its a private gitlab repository? – Vikram K Apr 23 '19 at 09:24
  • @VikramK: We don't have one of those, so you'll have to tell us, what happened when you tried? – John Zwinck Apr 23 '19 at 09:35
  • @JohnZwinck and others - Apparently it was not a token issue. The repository admin hadn't enabled the rights for me to push the code yet. Once done, my push was smooth. However, if a credential box pops up, that token must be supplied as the password - ` "You can also use personal access tokens to authenticate against Git over HTTP. They are the only accepted password when you have Two-Factor Authentication (2FA) enabled." ` – Vikram K Apr 26 '19 at 08:39
  • 1
    This method also worked for linking repositories created separately on gitlab and my local system (using `git init`). Thanks – yashtodi94 Jan 10 '20 at 08:08
  • Thanks this was useful – Piotr Mar 03 '20 at 17:28
  • 6
    I had to use the name of my token name instead of "oauth2" – Ommadawn Apr 18 '20 at 12:27
  • Thanks a lot ! Incredible that such simple instructions were not indicated on gitlab just after generating a token. – Charles Julien Jan 21 '21 at 08:59
  • My only regret is that I have but one upvote to give for this concise and correct answer!!! +1 – angryITguy Jan 05 '22 at 03:59
  • **WARNING**: Doing this saves the token in `.git/config`, which gets published to the webroot. Make sure that your `.git` folder is hidden, or else your project code will be disclosed publicly if you do this. See https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html. – Obsidian Age May 04 '22 at 03:39
  • Use Personalise Access Token instead of this solution. – Mayank Verma Jan 25 '23 at 05:56
43

I used the generated Personal Access Token as the password when prompted to enter credentials.

This allowed me to just use the standard Git Clone syntax without entering anything additional.

When you generate, copy the token. This is the password that will be stored in Credential Manager when you clone. Use that as your password instead of your git password.

Erik
  • 431
  • 4
  • 2
6

Visit the below link and enter your Name and Expiry Date.

Then click on the different checkboxes like read_user, read_repository, write_repository, etc for access scopes and create a new Personal Access Token and store it in a secured location

https://gitlab.com/profile/personal_access_tokens

Now when you do a git pull, git clone, git push, etc you can enter your username/email as the Username and enter the newly created Personal Access Token as Password

Sudharshan
  • 3,634
  • 2
  • 27
  • 27
6

See the link below enter link description here

You just need to create a new token for your profile! To do this,

  1. click on your photo and then enter the Edit Profile section
  2. click on Access Tokens
  3. Create a new token with the permissions you need
  4. Now copy the created token according to the photo below enter image description here
  5. git clone https://github.com/YOUR-USERNAME/YOUR-REPOSITORY
  6. Enter your username, but use the created token instead of the password!
behnam hoseyni
  • 69
  • 1
  • 3
0

Clone current repo with git clone ${CI_REPOSITORY_URL}

Clone other repos with git clone https://oauth2:${PERSONAL_ACCESS_TOKEN}@gitlab.com/acme/my-project.git. Gitlab uses "oauth2" + token convention to populate OAuth2 Authentication headers, but I could not find official documentation for this.

Enable current repo modifications with git remote set-url origin ${CI_PROJECT_URL/gitlab.com/oauth2:${PERSONAL_ACCESS_TOKEN}@gitlab.com}.git

Here is a job that tags the current repo, using git push:

build_rpms:
  stage: package
  script:
    - echo "Build RPMs. Add tag v1.9d"
    - apk add git
    - git config --list

    # --force is needed for both tag and push to allow job replay
    - git tag v1.9d --force

    # Enable pushing from CI pipeline:
    #
    # At that point git origin points to CI_REPOSITORY_URL=
    # https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/acme/my-project.git
    # This setup does not allow modifications (i.e git push will be rejected).
    #
    # We use Gitlab Personal Access Token with 'write' access. This token shall
    # be generated via Gitlab user settings and then it shall be added as a masked
    # environment variable for this project CI settings.
    #
    # Use "oauth2" as user. For example for CI_PROJECT_URL=https://gitlab.com/acme/my-project
    #   set origin to https://oauth2:wSHnMvSmYXtTfXtqRMxs@gitlab.com/acme/my-project.git
    #
    - git remote set-url origin ${CI_PROJECT_URL/gitlab.com/oauth2:${PERSONAL_ACCESS_TOKEN}@gitlab.com}.git
    - git remote -v

    # Use -o ci.skip option to avoid triggering pipeline again
    - git push origin v1.9d --force -o ci.skip
  when:
    manual
Sergey D
  • 655
  • 8
  • 9
0

A user-friendly alternative to personal access tokens is Git Credential Manager which does secure OAuth authentication via web browser. Documentation at https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#git-credential-manager

Colonel Panic
  • 132,665
  • 89
  • 401
  • 465