1

I'm in the process of migrating our internal GitLab-CE to GitLab-EE. When checking that CI pipelines work correctly, I noticed that the ones that clone repositories using CI_JOB_TOKEN did not work. After some debugging I managed track down the error to the actually git clone command. The command does not work if the access token is part of the clone URL. To test my hypothesis, I created a personal access token and tried to clone a repository using command git clone https:\\myusername:accesstoken@gitlab.internal/myusername/project1.git. The command fails with Authentication error (403 from gitlab nginx).

when I run the same command in interactive mode: git clone https:\\myusername@gitlab.internal/myusername/project1.git and use my access token as password when I'm prompted the command works fine.

Any idea what the problem is. Is there some configuration setting that disallows the use of passwords/tokens as part of the URL.

P.S. Our server is using self-signed certificate at the moment, but I don't think that's the problem since the second command works fine.

jfp
  • 73
  • 7
  • From the answers to this question, it seems that you need the token name, not your username. https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication – Federico Nafria Feb 17 '22 at 12:15
  • @FedericoNafria Yes, for the actualy ci job token I use the toke name, which is gitlab-ci-token. For the personal access token one uses username. Nevertheless the problem is present with project access tokens also. – jfp Feb 17 '22 at 13:03
  • Maybe the problem is that the string is getting parsed somehow? Because of `$` or something else, try putting it between `'`. – Federico Nafria Feb 17 '22 at 14:10
  • @FedericoNafria I tried using ´'´ and ´"´. First did not work at all, and the second one had the same error. – jfp Feb 18 '22 at 08:22

1 Answers1

1

After some testing and googling I managed to find a workaround. Using a shell script in combination with environmental variable, the pipeline now works with following steps (.gitlab-ci.yml):

script:
  - echo 'echo $CI_JOB_TOKEN' > ~./.git-askpass
  - chmod +x ~./.git-askpass
  - export GIT_ASKPASS=~./.git-askpass
  - git clone https:\\gitlab-ci-token@gitlab.internal/myusername/project1.git

Now when git clone command prompts for password for user gitlab-ci-token, the script is executed and output is used as password/token.

It is interesting why I couldn't get this to work without this workaround considering the official documentation uses the token as part of the url (https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#gitlab-cicd-job-token), and since it was working on the older gitlab installation (old was 13.7.3 CE and new is 14.7.0 EE).

jfp
  • 73
  • 7