An error "You are not permitted to access this resource" appears in Bitbucket Data Center while creating a fork repository into a different project via the API
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary:
When a user uses the fork repository API to create a fork of a repository into a different project using a project level access token, the following error occurs.
{"errors":[{"context":null,"message":"You are not permitted to access this resource","exceptionName":"com.atlassian.bitbucket.AuthorisationException"}]}Environment:
The solution has been validated in Bitbucket Data Center 8.9.10 but may be applicable to other versions.
Diagnosis:
The
atlassian-bitbucket.logwill have the following error stack trace:2024-08-07 15:44:13,884 DEBUG [http-nio-7991-exec-3] @9UT0S0x944x120x0 10.211.XX.XX "POST /rest/api/latest/projects/PRO1/repos/repo5 HTTP/1.1" c.a.b.i.c.s.CrowdSsoAuthenticationHandler Skipping Crowd SSO as it is not enabled 2024-08-07 15:44:13,884 DEBUG [http-nio-7991-exec-3] @9UT0S0x944x120x0 10.211.XX.XX "POST /rest/api/latest/projects/PRO1/repos/repo5 HTTP/1.1" c.a.s.i.a.DefaultAuthenticationService <>: Authenticator 'com.atlassian.bitbucket.server.bitbucket-crowd-sso:crowdSsoAuthHandler' opted out 2024-08-07 15:44:13,884 DEBUG [http-nio-7991-exec-3] @9UT0S0x944x120x0 10.211.XX.XX "POST /rest/api/latest/projects/PRO1/repos/repo5 HTTP/1.1" c.a.s.i.a.DefaultAuthenticationService <>: Authenticator 'com.atlassian.bitbucket.server.bitbucket-git-lfs:git-lfs-jwt-auth-handler' opted out 2024-08-07 15:44:13,918 DEBUG [http-nio-7991-exec-3] @9UT0S0x944x120x0 10.211.XX.XX "POST /rest/api/latest/projects/PRO1/repos/repo5 HTTP/1.1" c.a.s.i.user.DefaultUserService access-token-user/1/1: Skipping remote active check (Active: true; Enabled: true) 2024-08-07 15:44:13,921 DEBUG [http-nio-7991-exec-3] @9UT0S0x944x120x0 10.211.XX.XX "POST /rest/api/latest/projects/PRO1/repos/repo5 HTTP/1.1" c.a.s.i.a.DefaultAuthenticationService <>: Authenticator 'com.atlassian.bitbucket.server.bitbucket-access-tokens:accessTokenHttpAuthHandler' authenticated access-token-user/1/1 (52) 2024-08-07 15:44:13,955 DEBUG [http-nio-7991-exec-3] access-token-user/1/1 @9UT0S0x944x120x0 13kt56t 10.211.XX.XX "POST /rest/api/latest/projects/PRO1/repos/repo5 HTTP/1.1" c.a.s.i.r.e.ServiceExceptionMapper Mapping AuthorisationException to REST response 401 - You are not permitted to access this resourceThe following error will appear on the user terminal.
curl -H 'Authorization: Bearer BBDC-MjE5OTE5NjI2Nzc3Op/RUnu3JK67r/XXXXXXXXXXXXXX' --request POST --url 'http://10.211.XX.XX:7990/rest/api/latest/projects/PRO1/repos/repo5' --header 'Accept: application/json' --header 'Content-Type: application/json' --data '{ "links": {}, "name": "forkrepo5", "project": { "key": "PRO2", "links": {} }, "scmId": "git", "slug": "forkrepo5" }' {"errors":[{"context":null,"message":"You are not permitted to access this resource","exceptionName":"com.atlassian.bitbucket.AuthorisationException"}]}
Cause:
A project (source or target) level HTTP access token is only valid for one project, hence it cannot be utilised if the fork repository is created on a different project.
Solution:
Use the user's login credentials or personal access token (PAT) in the API that has at least read permission on source and create repository permission on target project.