Using GitLab token to clone without authentication

Question

I want to clone GitLab repository without prompt for my automation script, by using my private token from my GitLab account.

Can someone provide me a sample?

I know I can do so with user and password:

git clone https://" + user + ":" + password + "@" + gitlaburl;

and I know it is possible with ssh key

But, both options are insufficient.

for me the usefull syntax was: https://$GIT_USERNAME:$GITLAB_PERSONAL_ACCESS_TOKEN@gitlaburl — user1767316, May 20 '21 at 12:58

score 251 · Answer 1 · answered Apr 10 '15 at 21:05

251

I know this is old but this is how you do it:

git clone https://oauth2:ACCESS_TOKEN@somegitlab.com/vendor/package.git

answered Apr 10 '15 at 21:05

Roshan Gautam

2,790
1
10
11

3

This worked for me on GitLab 8.5.7 Enterprise Edition. – Ben Patterson Aug 05 '16 at 02:45
1

Works here (GitLab Community Edition 8.16.5 064dab1) – Martin M. Apr 06 '17 at 16:15
8

It works! I wonder why on gitlab.com on project details they don't give the complete command syntax :-(( – FRa Feb 28 '18 at 17:16
1

Works for Gitlab 10.4.4 but you need to make an `api` token. A `read_user` can only read repos under `/users` – Kurt Mar 17 '18 at 15:22
If there is a `submodule` inside, which hosted under the same account, the `clone` will still prompt to type in username and password. Is there any workaround? – weefwefwqg3 Sep 10 '18 at 18:14
The `oauth2` portion is probably arbitrary. I put the name of the access token instead. – Kenny Evitt Oct 16 '18 at 20:19
This worked for me, after create token with API permissions – Rutrus Nov 08 '18 at 11:56
5

How to use this over `ssh`? – hemu Apr 02 '19 at 06:00
This answer helped me a lot but a pratical example solved my problem. Supposing to use GitLab, the solution is "git clone https://oauth2:a3Fae3FaQty5aq@gitlab.com/pippo/projectname.git", where PERSONAL_ACCESS_TOKEN = a3Fae3FaQty5aq and pippo = username. Hope it will be helpful – Gianluca Jun 19 '20 at 07:25
3

Even `read_api` and `write_api` permissions are not enough. You have to have `api`. – Ella Sharakanski Dec 02 '20 at 14:48

score 57 · Answer 2 · edited Dec 21 '17 at 12:59

57

The gitlab has a lot of tokens:

Private token
Personal Access Token
CI/CD running token

I tested only the Personal Access Token using GitLab Community Edition 10.1.2, the example:

git clone https://gitlab-ci-token:${Personal Access Tokens}@gitlab.com/username/myrepo.git


git clone https://oauth2:${Personal Access Tokens}@gitlab.com/username/myrepo.git

or using username and password:

git clone https://${username}:${password}@gitlab.com/username/myrepo.git

or by input your password:

git clone https://${username}@gitlab.com/username/myrepo.git

But the private token seems can not work.

edited Dec 21 '17 at 12:59

Roman Snitko

3,654
21
28

answered Nov 24 '17 at 10:18

xuanyuanaosheng

882
7
9

5

Note that private tokens were removed in favour of personal access tokens in GitLab 10.2: https://about.gitlab.com/2017/09/22/gitlab-10-0-released/#private-tokens – David Planella Nov 11 '18 at 06:05
And about user+password+token? How to express all in one URL? Now my gitlab-software server use all, login and two-factor (or token). – Peter Krauss Jan 06 '21 at 22:53
pretty amazing that I had to refer to this and there is nothing (I can find) on the official GitLab Docs on this – cryanbhu Feb 14 '21 at 05:47

score 42 · Answer 3 · answered Jan 25 '16 at 22:39

42

You can do it like this:

git clone https://gitlab-ci-token:<private token>@git.example.com/myuser/myrepo.git

answered Jan 25 '16 at 22:39

Tim Hughes

2,405
1
19
23

2

this seems right but it always fails authentication for me :( – Randyaa Apr 25 '16 at 01:52
same to me: fatal: Authentication failed for – vogash May 03 '16 at 10:22
4

needs to be replaced with the CI runner's token, not the account's private token. – Kip Jun 02 '16 at 15:08
2

i think you should also be able to use your personal token right @tim – Gobi Dasu Jul 02 '16 at 10:55
You can use the project specific ci token (enable builds, then go to the project/runners config). – BM5k Jul 26 '16 at 19:10
but I host an gitlab server for myself and its version is 6.6.2. I only have private token. When I run the command git clone https://" + user + ":" + password + "@" + gitlaburl; I got error fatal: Authentication failed for . same as @vogash – biolinh Feb 09 '17 at 12:02
It still works for me. @biolinh Did you try generating the personal access token with api scope, from the Acess Tokens section under user settings. – darkdefender27 Mar 08 '18 at 06:52
tested using personal access token, works as of 2019-03 – Erik Aronesty Mar 04 '19 at 15:29
This solution worked for me, the highest voted solution (using oauth2) did not work. Literally just changed from oauth2 to gitlab-ci-token and it started working – ET Come Back Mar 08 '19 at 20:02

score 31 · Answer 4 · answered Jun 22 '18 at 05:14

31

Use the token instead of the password (the token needs to have "api" scope for clone to be allowed):

git clone https://username:token@gitlab.com/user/repo.git

Tested against 11.0.0-ee.

answered Jun 22 '18 at 05:14

Zbyněk Winkler

889
1
9
10

Yes, it works for me. Token can be used as password. – cwtuan Dec 24 '18 at 07:03
2

For people Googling this: this is what you want if using Personal Access Tokens over HTTPS on gitlab.com. – Adam Baxter Aug 10 '19 at 13:50
Isn't it amazing that we have to find this here and not on the GitLab Docs page on Personal Access Tokens? – cryanbhu Feb 14 '21 at 05:54

score 16 · Answer 5 · answered Sep 03 '18 at 17:51

16

If you already has a repository and just changed the way you do authentication to MFA, u can change your remote origin HTTP URI to use your new api token as follows:

git remote set-url origin https://oauth2:TOKEN@ANY_GIT_PROVIDER_DOMAIN/YOUR_PROJECT/YOUR_REPO.git

And you wont need to re-clone the repository at all.

answered Sep 03 '18 at 17:51

Roger Barreto

1,758
1
14
21

4

`git clone https://oauth2:TOKEN@ANY_GIT_PROVIDER_DOMAIN/YOUR_PROJECT/YOUR_REPO.git` also worked for me, thank you!! I will Answer this thread with my correct solution. – Rutrus Nov 08 '18 at 11:54

score 14 · Answer 6 · edited Aug 17 '16 at 20:43

14

You can use the runners token for CI/CD Pipelines of your GitLab repo.

git clone https://gitlab-ci-token:<runners token>@git.example.com/myuser/myrepo.git

Where <runners token> can be obtained from:

git.example.com/myuser/myrepo/pipelines/settings

or by clicking on the Settings icon -> CI/CD Pipeline and look for Runners Token on the page

Screenshot of the runners token location:

edited Aug 17 '16 at 20:43

jmq

9,602
14
54
68

answered Aug 17 '16 at 07:02

Enlai

148
2
4

5

Note: The runners token has been deprecated now. – Arihant Godha Sep 22 '16 at 12:34
@ArihantGodha source? – miq Sep 23 '16 at 10:22
2

@miq see [here](https://docs.gitlab.com/ce/user/project/new_ci_build_permissions_model.html) (as of >= 8.12) – Yan Foto Oct 21 '16 at 11:19
1

This format is now deprecated, please see https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication/47347515#47347515 – Muhan Alim Nov 17 '17 at 09:43
Doesn't work from inside GitLab CI pipeline. But this line works: `git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/...` – Slawa Aug 30 '18 at 13:47

score 10 · Answer 7 · edited Apr 16 '19 at 23:38

10

One possible way is using a deploy token (https://docs.gitlab.com/ee/user/project/deploy_tokens). After creating the token, use:

git clone https://<username>:<deploy_token>@gitlab.example.com/tanuki/awesome_project.git

as mentioned in the link above.

edited Apr 16 '19 at 23:38

Vix

818
8
16

answered Sep 02 '18 at 11:59

shahar taite

382
5
10

Neither does this seem to be working with npm install on a fresh docker container, defaults to ssh. – Vix Apr 17 '19 at 10:57

score 9 · Answer 8 · edited Jun 20 '20 at 09:12

9

As of 8.12, cloning using HTTPS + runner token is not supported anymore, as mentioned here:

In 8.12 we improved build permissions. Being able to clone project using runners token it is no supported from now on (it was actually working by coincidence and was never a fully fledged feature, so we changed that in 8.12). You should use build token instead.

This is widely documented here - https://docs.gitlab.com/ce/user/project/new_ci_build_permissions_model.html.

edited Jun 20 '20 at 09:12

Community

1
1

answered Oct 21 '16 at 11:51

Yan Foto

8,951
4
45
79

1

It isn't possible using runners tokens but is using personal access tokens. Please see my answer: https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication/47347515#47347515 – Muhan Alim Nov 17 '17 at 09:42
@MuhanAlim I'd recommend no one to expose their whole account using access tokens. That's why they are called ***Private** Access Tokens*! – Yan Foto Nov 17 '17 at 11:09
The question doesn't mention anything about making the key public, only how to use the key in place of a username and password for cloning. But that it is a good point, I would not recommend anyone use the keys anywhere that is public. – Muhan Alim Nov 17 '17 at 11:45
2

*automation script* implies that the whole procedure is not running locally. Probably somewhere where others also have access to. – Yan Foto Nov 17 '17 at 15:19

score 8 · Answer 9 · edited Jun 17 '19 at 13:27

8

Inside a GitLab CI pipeline the CI_JOB_TOKEN environment variable works for me:

git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/...

Source: Gitlab Docs

BTW, setting this variable in .gitlab-ci.yml helps to debug errors.

variables:
    CI_DEBUG_TRACE: "true"

edited Jun 17 '19 at 13:27

Martin Thoma

91,837
114
489
768

answered Aug 30 '18 at 13:50

Slawa

953
11
20

score 5 · Answer 10 · answered Jul 01 '20 at 03:36

many answers above are close, but they get ~username syntax for deploy tokens incorrect. There are other types of tokens, but the deploy token is what gitlab offers (circa 2020+ at least) per repo to allow customized access, including read-only.

from a repository (or group), find the settings --> repository --> deploy tokens. Create a new one. A username and token field are created. The username is NOT a fixed value by default; it's unique to this token.

git clone https://<your_deploy_token_username>:<the_token>@gitlab.com/your/repo/path.git

tested on gitlab.com public, free account.

score 2 · Answer 11 · answered Feb 08 '17 at 08:25

2

I went SSH using the per project deploy keys setting (read only)

answered Feb 08 '17 at 08:25

Laurent

998
9
22

Me too because I am using GIT_STRATEGY: none. – Aalex Gabi Mar 22 '18 at 08:59

score 1 · Answer 12 · answered Jun 17 '19 at 15:19

To make my future me happy: RTFM - don't use the gitlab-ci-token at all, but the .netrc file.

There are a couple of important points:

echo -e "machine gitlab.com\nlogin gitlab-ci-token\npassword ${CI_JOB_TOKEN}" > ~/.netrc
Don't forget to replace "gitlab.com" by your URL!
Don't try to be smart and create the .netrc file directly - gitlab will not replace the $CI_JOB_TOKEN within the file!
Use https://gitlab.com/whatever/foobar.com - not ssh://git@foobar, not git+ssh://, not git+https://. You also don't need any CI-TOKEN stuff in the URL.
Make sure you can git clone [url from step 4]

Background: I got

fatal: could not read Username for 'https://gitlab.mycompany.com': No such device or address

when I tried to make Ansible + Gitlab + Docker work as I imagine it. Now it works.

score 0 · Answer 13 · answered Oct 19 '20 at 15:49

These days (Oct 2020) you can use just the following

git clone $CI_REPOSITORY_URL

Which will expand to something like:

git clone https://gitlab-ci-token:[MASKED]@gitlab.com/gitlab-examples/ci-debug-trace.git

Where the "token" password is ephemeral token, it should be revoked after a build is complete.

score -1 · Answer 14 · answered Feb 16 '20 at 07:59

-1

Customising the URL is not needed. Just use a git configuration for gitlab tokens such as

git config --global gitlab.accesstoken {TOKEN_VALUE}

extended description here

answered Feb 16 '20 at 07:59

Bizmate

1,718
1
14
18

This did not work for me and I also couldn't find documentation anywhere on a config option with this name – mark.monteiro Nov 03 '20 at 00:02
Have you read the article in the link? This variable is what gitlab will take from your git client to authenticate and you need a personal access token. – Bizmate Nov 03 '20 at 01:00
I did read the linked article. `gitlab.accesstoken` does not do anything and there is no documentation anywhere on GitLab referencing it – mark.monteiro Nov 03 '20 at 15:40

Using GitLab token to clone without authentication

14 Answers14

Linked