Using GitLab token to clone without authentication

Question

I want to clone GitLab repository without prompt for my automation script, by using my private token from my GitLab account.

Can someone provide me a sample?

I know I can do so with user and password:

git clone https://" + user + ":" + password + "@" + gitlaburl;

and I know it is possible with ssh key

But, both options are insufficient.

for me the usefull syntax was: https://$GIT_USERNAME:$GITLAB_PERSONAL_ACCESS_TOKEN@gitlaburl — user1767316, May 20 '21 at 12:58
for me the usefull syntax was: https://pat:@gitlab.com/org/proj — Eduardo Mior, Nov 01 '22 at 18:18

score 450 · Answer 1 · edited Jun 24 '22 at 09:20

450

This is how you do it:

git clone https://oauth2:[email protected]/vendor/package.git

edited Jun 24 '22 at 09:20

vvvvv

25,404
19
49
81

answered Apr 10 '15 at 21:05

Roshan Gautam

4,780
1
13
11

3

This worked for me on GitLab 8.5.7 Enterprise Edition. – Ben Patterson Aug 05 '16 at 02:45
1

Works here (GitLab Community Edition 8.16.5 064dab1) – serverhorror Apr 06 '17 at 16:15
19

It works! I wonder why on gitlab.com on project details they don't give the complete command syntax :-(( – FRa Feb 28 '18 at 17:16
1

Works for Gitlab 10.4.4 but you need to make an `api` token. A `read_user` can only read repos under `/users` – Kurt Mar 17 '18 at 15:22
If there is a `submodule` inside, which hosted under the same account, the `clone` will still prompt to type in username and password. Is there any workaround? – weefwefwqg3 Sep 10 '18 at 18:14
3

The `oauth2` portion is probably arbitrary. I put the name of the access token instead. – Kenny Evitt Oct 16 '18 at 20:19
This worked for me, after create token with API permissions – Rutrus Nov 08 '18 at 11:56
9

How to use this over `ssh`? – hemu Apr 02 '19 at 06:00
This answer helped me a lot but a pratical example solved my problem. Supposing to use GitLab, the solution is "git clone https://oauth2:[email protected]/pippo/projectname.git", where PERSONAL_ACCESS_TOKEN = a3Fae3FaQty5aq and pippo = username. Hope it will be helpful – Gianluca Jun 19 '20 at 07:25
7

Even `read_api` and `write_api` permissions are not enough. You have to have `api`. – Ella Sharakanski Dec 02 '20 at 14:48
Gitlab dot com should have this on their landing page under "cloning your repo ? do this first" – angryITguy Jan 05 '22 at 04:01
On Gitlab 14.7 (probably earlier versions too) any username (even blank username) will do as well: ```git clone https://xxx:[email protected]/group/project.git``` Change xxx for empty string or any of your choice – Mario J. Barchéin Feb 08 '22 at 19:09
@EllaSharakanski - currently, using https access, the `read_repository` permission is sufficient in order to clone a git repository. – Guss Nov 21 '22 at 13:03
`git clone https://:[email protected]/group/projet.git` – Peter Kionga-Kamau Feb 15 '23 at 20:58

score 134 · Answer 2 · edited Dec 21 '17 at 12:59

134

The gitlab has a lot of tokens:

Private token
Personal Access Token
CI/CD running token

I tested only the Personal Access Token using GitLab Community Edition 10.1.2, the example:

git clone https://gitlab-ci-token:${Personal Access Tokens}@gitlab.com/username/myrepo.git


git clone https://oauth2:${Personal Access Tokens}@gitlab.com/username/myrepo.git

or using username and password:

git clone https://${username}:${password}@gitlab.com/username/myrepo.git

or by input your password:

git clone https://${username}@gitlab.com/username/myrepo.git

But the private token seems can not work.

edited Dec 21 '17 at 12:59

Roman Snitko

3,655
24
29

answered Nov 24 '17 at 10:18

xuanyuanaosheng

1,684
1
11
9

9

Note that private tokens were removed in favour of personal access tokens in GitLab 10.2: https://about.gitlab.com/2017/09/22/gitlab-10-0-released/#private-tokens – David Planella Nov 11 '18 at 06:05
And about user+password+token? How to express all in one URL? Now my gitlab-software server use all, login and two-factor (or token). – Peter Krauss Jan 06 '21 at 22:53
2

what are the differences for `gitlab-ci-token`, `oauth2` and `x-access-token`? all of these 3 work for me. – Lei Yang Apr 20 '22 at 06:44

score 56 · Answer 3 · answered Jun 22 '18 at 05:14

56

Use the token instead of the password (the token needs to have "api" scope for clone to be allowed):

git clone https://username:[email protected]/user/repo.git

Tested against 11.0.0-ee.

answered Jun 22 '18 at 05:14

Zbyněk Winkler

1,263
1
12
12

7

For people Googling this: this is what you want if using Personal Access Tokens over HTTPS on gitlab.com. – Adam Baxter Aug 10 '19 at 13:50
15

Isn't it amazing that we have to find this here and not on the GitLab Docs page on Personal Access Tokens? – cryanbhu Feb 14 '21 at 05:54
1

Thx for "the token needs to have "api" scope for clone to be allowed"! – MingalevME Aug 19 '22 at 09:44

score 48 · Answer 4 · answered Jan 25 '16 at 22:39

48

You can do it like this:

git clone https://gitlab-ci-token:<private token>@git.example.com/myuser/myrepo.git

answered Jan 25 '16 at 22:39

Tim Hughes

3,144
2
24
24

3

this seems right but it always fails authentication for me :( – Randyaa Apr 25 '16 at 01:52
same to me: fatal: Authentication failed for – vogash May 03 '16 at 10:22
6

needs to be replaced with the CI runner's token, not the account's private token. – Kip Jun 02 '16 at 15:08
2

i think you should also be able to use your personal token right @tim – Gobi Dasu Jul 02 '16 at 10:55
You can use the project specific ci token (enable builds, then go to the project/runners config). – BM5k Jul 26 '16 at 19:10
but I host an gitlab server for myself and its version is 6.6.2. I only have private token. When I run the command git clone https://" + user + ":" + password + "@" + gitlaburl; I got error fatal: Authentication failed for . same as @vogash – biolinh Feb 09 '17 at 12:02
It still works for me. @biolinh Did you try generating the personal access token with api scope, from the Acess Tokens section under user settings. – darkdefender27 Mar 08 '18 at 06:52
tested using personal access token, works as of 2019-03 – Erik Aronesty Mar 04 '19 at 15:29
This solution worked for me, the highest voted solution (using oauth2) did not work. Literally just changed from oauth2 to gitlab-ci-token and it started working – ET Come Back Mar 08 '19 at 20:02

score 32 · Answer 5 · edited Jun 24 '22 at 09:20

32

If you already has a repository and just changed the way you do authentication to MFA, u can change your remote origin HTTP URI to use your new api token as follows:

git remote set-url origin https://oauth2:TOKEN@ANY_GIT_PROVIDER_DOMAIN/YOUR_PROJECT/YOUR_REPO.git

And you wont need to re-clone the repository at all.

edited Jun 24 '22 at 09:20

vvvvv

25,404
19
49
81

answered Sep 03 '18 at 17:51

Roger Barreto

2,004
1
17
21

8

`git clone https://oauth2:TOKEN@ANY_GIT_PROVIDER_DOMAIN/YOUR_PROJECT/YOUR_REPO.git` also worked for me, thank you!! I will Answer this thread with my correct solution. – Rutrus Nov 08 '18 at 11:54

score 15 · Answer 6 · edited Aug 17 '16 at 20:43

15

You can use the runners token for CI/CD Pipelines of your GitLab repo.

git clone https://gitlab-ci-token:<runners token>@git.example.com/myuser/myrepo.git

Where <runners token> can be obtained from:

git.example.com/myuser/myrepo/pipelines/settings

or by clicking on the Settings icon -> CI/CD Pipeline and look for Runners Token on the page

Screenshot of the runners token location:

edited Aug 17 '16 at 20:43

jmq

10,110
16
58
71

answered Aug 17 '16 at 07:02

Enlai

158
2
4

5

Note: The runners token has been deprecated now. – Arihant Godha Sep 22 '16 at 12:34
@ArihantGodha source? – miq Sep 23 '16 at 10:22
2

@miq see [here](https://docs.gitlab.com/ce/user/project/new_ci_build_permissions_model.html) (as of >= 8.12) – Yan Foto Oct 21 '16 at 11:19
1

This format is now deprecated, please see https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication/47347515#47347515 – Muhan Alim Nov 17 '17 at 09:43
2

Doesn't work from inside GitLab CI pipeline. But this line works: `git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/...` – Slawa Aug 30 '18 at 13:47

score 14 · Answer 7 · edited Jun 24 '22 at 09:20

Many answers above are close, but they get ~username syntax for deploy tokens incorrect. There are other types of tokens, but the deploy token is what gitlab offers (circa 2020+ at least) per repo to allow customized access, including read-only.

From a repository (or group), find the settings --> repository --> deploy tokens. Create a new one. A username and token field are created. The username is NOT a fixed value by default; it's unique to this token.

git clone https://<your_deploy_token_username>:<the_token>@gitlab.com/your/repo/path.git

Tested on gitlab.com public, free account.

score 13 · Answer 8 · edited Apr 16 '19 at 23:38

13

One possible way is using a deploy token (https://docs.gitlab.com/ee/user/project/deploy_tokens). After creating the token, use:

git clone https://<username>:<deploy_token>@gitlab.example.com/tanuki/awesome_project.git

as mentioned in the link above.

edited Apr 16 '19 at 23:38

Vix

1,046
10
16

answered Sep 02 '18 at 11:59

shahar taite

462
6
11

Neither does this seem to be working with npm install on a fresh docker container, defaults to ssh. – Vix Apr 17 '19 at 10:57

score 12 · Answer 9 · edited Jun 17 '19 at 13:27

12

Inside a GitLab CI pipeline the CI_JOB_TOKEN environment variable works for me:

git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/...

Source: Gitlab Docs

BTW, setting this variable in .gitlab-ci.yml helps to debug errors.

variables:
    CI_DEBUG_TRACE: "true"

edited Jun 17 '19 at 13:27

Martin Thoma

124,992
159
614
958

answered Aug 30 '18 at 13:50

Slawa

1,141
15
21

score 10 · Answer 10 · edited Jun 20 '20 at 09:12

10

As of 8.12, cloning using HTTPS + runner token is not supported anymore, as mentioned here:

In 8.12 we improved build permissions. Being able to clone project using runners token it is no supported from now on (it was actually working by coincidence and was never a fully fledged feature, so we changed that in 8.12). You should use build token instead.

This is widely documented here - https://docs.gitlab.com/ce/user/project/new_ci_build_permissions_model.html.

edited Jun 20 '20 at 09:12

Community

1
1

answered Oct 21 '16 at 11:51

Yan Foto

10,850
6
57
88

1

It isn't possible using runners tokens but is using personal access tokens. Please see my answer: https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication/47347515#47347515 – Muhan Alim Nov 17 '17 at 09:42
@MuhanAlim I'd recommend no one to expose their whole account using access tokens. That's why they are called ***Private** Access Tokens*! – Yan Foto Nov 17 '17 at 11:09
The question doesn't mention anything about making the key public, only how to use the key in place of a username and password for cloning. But that it is a good point, I would not recommend anyone use the keys anywhere that is public. – Muhan Alim Nov 17 '17 at 11:45
2

*automation script* implies that the whole procedure is not running locally. Probably somewhere where others also have access to. – Yan Foto Nov 17 '17 at 15:19

MountainAsh · Answer 11 · 2022-04-05T09:39:30.173

8

These days (Oct 2020) you can use just the following

git clone $CI_REPOSITORY_URL

Which will expand to something like:

git clone https://gitlab-ci-token:[MASKED]@gitlab.com/gitlab-examples/ci-debug-trace.git

Where the "token" password is ephemeral token (it will be automatically revoked after a build is complete).

edited Apr 05 '22 at 09:39

answered Oct 19 '20 at 15:49

MountainAsh

428
6
12

How does it know the repository URL that you want? Seems like this would only work in CI/CD for the current repo. – Peter Kionga-Kamau Feb 15 '23 at 21:00

score 4 · Answer 12 · answered Jun 17 '19 at 15:19

To make my future me happy: RTFM - don't use the gitlab-ci-token at all, but the .netrc file.

There are a couple of important points:

echo -e "machine gitlab.com\nlogin gitlab-ci-token\npassword ${CI_JOB_TOKEN}" > ~/.netrc
Don't forget to replace "gitlab.com" by your URL!
Don't try to be smart and create the .netrc file directly - gitlab will not replace the $CI_JOB_TOKEN within the file!
Use https://gitlab.com/whatever/foobar.com - not ssh://git@foobar, not git+ssh://, not git+https://. You also don't need any CI-TOKEN stuff in the URL.
Make sure you can git clone [url from step 4]

Background: I got

fatal: could not read Username for 'https://gitlab.mycompany.com': No such device or address

when I tried to make Ansible + Gitlab + Docker work as I imagine it. Now it works.

score 3 · Answer 13 · answered Feb 08 '17 at 08:25

3

I went SSH using the per project deploy keys setting (read only)

answered Feb 08 '17 at 08:25

Laurent

1,048
11
23

Me too because I am using GIT_STRATEGY: none. – Aalex Gabi Mar 22 '18 at 08:59

score 3 · Answer 14 · answered Jul 29 '21 at 15:46

In my case, I just provided the token instead the password (second input field).

I pushed a local repo for the first time from the command line.

From the scratch, these are the commands I entered (remember to move inside the repo's folder first).

$ git init

$ git status

$ git add .

$ git status

$ git commit -m 'Shinra Tensei.'

$ git push --set-upstream https://gitlab.com/userName/my-repo.git master

Then, the pop-up message you can see in the picture comes up. Provided USERNAME and TOKEN.

thank you so much, your answer helped me – whitesiroi Nov 12 '21 at 06:16 — whitesiroi, Nov 12 '21 at 06:16

score 2 · Answer 15 · answered Mar 03 '23 at 13:41

2

Using PAT (Personal Access Token):

https://pat:<your-token>@gitlab.com/<org>/<proj>

answered Mar 03 '23 at 13:41

Eduardo Mior

156
2
10

1

I couldn't find any documentation on this, but it works! – poof86 Jun 13 '23 at 20:44

score 0 · Answer 16 · edited Jan 11 '23 at 15:29

0

you can change your:

user:oauth2
password : <youraccesstoken>

example:

git clone https://oauth2:<token>@hahahehe.com/yourname/yourproject.git

edited Jan 11 '23 at 15:29

m.myalkin

1,128
1
10
18

answered Jan 10 '23 at 04:37

HACKER-MAGELANG

1

score 0 · Answer 17 · answered Feb 27 '23 at 09:55

It may help: In your gitlab-ci file: Add this on before script step

before_script:
  - git config --global credential.helper store
  - echo "https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}" >> ~/.git-credentials
  - chmod 600 ~/.git-credentials

Thanks

score -2 · Answer 18 · answered Feb 16 '20 at 07:59

-2

Customising the URL is not needed. Just use a git configuration for gitlab tokens such as

git config --global gitlab.accesstoken {TOKEN_VALUE}

extended description here

answered Feb 16 '20 at 07:59

Bizmate

1,835
1
15
19

This did not work for me and I also couldn't find documentation anywhere on a config option with this name – mark.monteiro Nov 03 '20 at 00:02
Have you read the article in the link? This variable is what gitlab will take from your git client to authenticate and you need a personal access token. – Bizmate Nov 03 '20 at 01:00
I did read the linked article. `gitlab.accesstoken` does not do anything and there is no documentation anywhere on GitLab referencing it – mark.monteiro Nov 03 '20 at 15:40

Using GitLab token to clone without authentication

18 Answers18

Linked