CI_JOB_TOKEN cannot access private repositories even if "Limit Access to this Project" allows it to.

Summary

I have 3 repositories in 2 different groups.

  • groupA/repo1 - Internal
  • groupB/repo2 - Internal
  • groupB/repo3 - Private

I am using the "Limit Access to this Project" feature concerning the CI_JOB_TOKEN.

image

Using this feature:

  • groupA/repo1 is allowed to access groupB/repo2 AND groupB/repo3.
  • groupB/repo2 is allowed to access groupB/repo3.

In a scheduled CI owned by a Maintainer (Albert) of groupA of the project groupA/repo1, I run these 2 commands:

# The internal repo
# this works well
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@example.com/groupB/repo2

# The Private repo
# this fails with 
# remote: The project you were looking for could not be found or you don't have permission to view it.
# fatal: repository 'https://example.com/groupB/repo3' not found
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@example.com/groupB/repo3

Albert is Maintainer of groupA but does not have any role on groupB. Albert does not even belong to groupB. Albert is a bot created via Access Token with the rights API and role Maintainer on groupA.

Steps to reproduce

  1. Have 2 Internal groups: groupA and groupB
  2. Create repo1 (Internal) in groupA
  3. Create repo2 (Internal) in groupB
  4. Create repo3 (Private) in groupB
  5. Add the line: groupA/repo1 in "Limit Access to this Project" on repo groupB/repo2
  6. Add the line: groupA/repo1 in "Limit Access to this Project" on repo groupB/repo3
  7. Add the line: groupB/repo2 in "Limit Access to this Project" on repo groupB/repo3
  8. Create an Access Token on groupA (role Maintainer, scope 'api'). Let's call it Albert.
  9. Create a schedule pipeline on groupA with Albert as the owner.
  10. In the CI of this schedule job on groupA/repo1, do run:
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@example.com/groupB/repo2
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@example.com/groupB/repo3
  1. The first line should succeed and the second should fail.

What is the current bug behavior?

I feel like the CI_JOB_TOKEN cannot access private repositories even if explicitely allowed via "Limit Access to this Project".

The current documentation does not specify this behavior.

When enabled, and the job token is being used to access a different project:
The user that executes the job must be a member of the project that is being accessed.
The user must have the permissions to perform the action.
The accessed project must have the project attempting to access it added to the allowlist.

The user that executes the job must be a member of the project that is being accessed.

-> Currently, if the project is Internal, it is possible for a non-member to clone it.

The accessed project must have the project attempting to access it added to the allowlist.

-> This is the case.

What is the expected correct behavior?

The CI_JOB_TOKEN should allow the allowed repositories to clone public, internal and private repositories.

Results of GitLab environment info

  • self hosted GitLab
  • v16.5.1
Edited by Vincent Houlbrèque