Pipelines failing due to authentication errors after upgrade to GitLab 18.0

Description

• Jobs in pipelines fail with unexpected authentication errors on GitLab.com.
• Job log shows Authentication by CI/CD job token not allowed.
• Depending on the nature of the job, different wording or plain HTTP 403 errors may occur.

Environment

Impacted offerings:

• GitLab Dedicated
• GitLab Self-Managed

Impacted versions:

• 18.0 and later

Solution

This solution only applies only to Dedicated and Self-Managed instances. Gitlab.com customers, must follow this solution.

1. Go to the Admin area of your GitLab instance
2. Navigate to Settings > CI/CD
3. Expand the Job token permissions section
4. Uncheck the Enable and enforce job token allowlist for all projects setting
5. After unchecking the setting, wait five minutes before retrying any affected jobs/pipelines.

If the setting is not checked, contact GitLab Support for further diagnosis.

Consider if you want to leave the setting unchecked permanently or not. Refer to the Understanding this change section of the related breaking change to understand your options going forward.

Cause

During the upgrade to GitLab 18.0, the Enable and enforce job token allowlist for all projects setting is enabled by default to improve security.

This breaking change was first announced with GitLab 16.5. See the related deprecation notice for details.

Related Links

• CI/CD job token - Authorized groups and projects allowlist enforcement deprecation notice
• Understanding this change
• Control job token access to your project