Pipelines on GitLab.com failing due to unexpected authentication errors

Description

• Jobs in pipelines fail with unexpected authentication errors on GitLab.com.
• Job log shows Authentication by CI/CD job token not allowed.
• Depending on the nature of the job, different wording or plain HTTP 403 errors may occur.

Environment

Impacted offerings:

• GitLab.com

Impacted versions:

• 18.0 and later

Solution

This solution only applies to GitLab.com. Dedicated and Self-Managed instances must follow this solution.

Add your project to the allowlist of any other projects that are being accessed via Job token access in your project's pipeline.

Contact GitLab Support if the issue persists.

Cause

As part of the upgrade to GitLab 18.0, all projects on GitLab.com are now enforcing the job token allowlist. Previously, it was possible to set a project to allow access either from All groups and projects or Only this project and any groups and projects in the allowlist.

To avoid disruption, the allowlist of all projects have automatically been populated with entries from the job token authentication log. This means that any project using access via the old All groups and projects option within 30 days prior to this change can still access things despite the allowlist now being enforced. If you're running into this error, it is most likely in a pipeline that runs less frequently.

This breaking change was first announced with GitLab 16.5. See the related deprecation notice for details.

Related Links

• CI/CD job token - Authorized groups and projects allowlist enforcement deprecation notice
• Understanding this change
• Control job token access to your project