I have a private repository that is hosted on gitlab.com. I've created a project access token with read_repository scope. The intention is that any user with the project access token can clone the repository.
I'm issuing:
git clone https://[email protected]/user/repo.git
and when prompted for my password, I enter the project access token, but am told:
Cloning into 'repo'...
Password for 'https://[email protected]':
remote: You are not allowed to download code from this project.
fatal: unable to access 'https://gitlab.com/user/repo.git/': The requested URL returned error: 403
I've tried creating a number of additional project access tokens with multiple scopes in addition to read_repository, but get the same error. I've also tried cloning using the project access token directly in the clone:
git clone https://xyz:[email protected]/user/repo.git
but get the same error.
Clarifications
All project access tokens I've created have an expiry date set to a month from now. The xyz string is, to my understanding, irrelevant, since it's a placeholder for the username. From the gitlab documentation, it seems this can be any non-empty string.
I can confirm as @ton rightly noted, Reporter is the minimal level needed for reading repository, despite (or more precise in addition to) the flags set when creating project access token.
For others facing similar problems, I have discovered following levels needed:
| Operation | Level |
|---|---|
| reading (git fetch, git clone etc.) | Reporter |
| writing (git push) | Developer |
| writing to protected branch | Maintainer |