Fetching private GitLab repo via HTTP

Question

My plan is to use deploy tokens to access private repos (hosted GitLab).

This one works fine:

 git clone https://my-gitlab-deploy-token-user:[email protected]/username/projectname.git

Accessing archive.tgz fails with authentication error:

curl https://my-gitlab-deploy-token-user:[email protected]/username/projectname/repository/archive.tar.gz?ref=master

Anyone has an idea why the token authentication works fine using HTTP endpoint for the Git client but fails fetching the archive tarball directly?

Answer 1

The deploy token only allow to clone repository and read docker registry.

Whereas, the Personal Access Tokens allow to authenticate "against Git over HTTP or SSH". Note, they are only limited to the following: API,RSS,Registry. There is a note about about this limitation due to an "Improper Enforcement of Token Scope" on the gitlab blog.