Error 403 when performing Git operations
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
This article covers three scenarios where you may encounter the 403 error while performing Git operations such as push/clone.
Environment
- Bitbucket Cloud repository
Diagnosis
Scenario 1:
- User A is able to perform GIT operations.
User B is on the same network subnet as User A attempts to perform the same Git operations, but they receive a 403 error response code:
$ git clone https://some_username@bitbucket.org/workspace_id/repo_name.git Cloning into 'repo_name'... remote: To access this repository, an admin must whitelist your IP. fatal: unable to access 'https://bitbucket.org/workspace_id/repo_name.git/': The requested URL returned error: 403
Scenario 2:
- User A is able to perform GIT operations.
User B is unable to clone with the following error message:
$ git clone https://some_username@bitbucket.org/workspace_id/repo_name.git Cloning into 'repo_name'... remote: To access this repository, enable two-step authentication. fatal: unable to access 'https://bitbucket.org/workspace_id/repo_name.git/': The requested URL returned error: 403
Scenario 3:
- User A is able to perform GIT operations
User B is unable to clone with the following error message
$ git clone https://some_username@bitbucket.org/workspace_id/repo_name.git Cloning into 'repo_name'... remote: The requested repository either does not exist or you do not have access. If you believe this repository exists and you have access, make sure you're authenticated. fatal: unable to access 'https://bitbucket.org/workspace_id/repo_name.git/': The requested URL returned error: 403
Cause
Scenario 1:
- IP Allowlisting is likely enabled on the workspace. The IP list is not exhaustive and only contains a particular number of IP addresses to match up to individual users within the organization.
Scenario 2:
- The Two-step verification requirement is enabled on the workspace. This setting requires collaborators to enable two-step verification to interact with private repositories.
Scenario 3:
- You likely have no access to the repository or workspace, causing the 403 error.
Solution
Scenario 1:
- Check the IP Allowlist setting from Workspace Settings > Access Controls to verify if the entire network is described and not just individual IP addresses
Have the user perform the following command to check what their public IP address is:
curl http://checkip.amazonaws.com/- Cross-reference the returned IP address with the allowlist
- If the IP address is not present but appears to be on the same network range, determine the subnet mask and add the network range along with the CIDR notation of that subnet mask to the allowlist
Example:
- User A has IP address 13.33.21.4 with a subnet mask of 255.255.255.224, this is present on the allowlist
- User B has IP address 13.33.21.5 with a subnet mask of 255.255.255.224, they are not present on the allowlist
- To solve the problem, you would add an entry defining the entire network range to the allowlist:
13.33.21.0/27
If the IP address obtained from Step 2 appears to be on a completely different network - the user may be operating behind a VPN and will need to disable this for testing purposes.
Scenario 2:
- Enable two-step verification to interact with private repositories.
Scenario 3:
- Contact an administrator of the repository or workspace to ensure you have access to clone the repository.
If the above instructions do not assist in resolving the issue, please raise a support ticket or raise a community support ticket for further assistance with this.