How can I trigger a downstream pipeline from upstream error "Downstream pipeline cannot be created insufficient permission to set variable"

I am trying to trigger a pipeline from another pipeline in gitlab but I continue to see this error “Downstream pipeline cannot be created insufficient permission to set variable”

file1-ci.yml(Upstream)

stages:
- unit_test
- security_scan
- build_and_push
- deploy_pipeline



variables:
  MS_NAME: gcr-adservice
  MS_VERSION: v0.8.0

trigger_deploy_pipeline:
  stage: deploy_pipeline
  trigger:
    project: devsecops-projects2/online-botique-gitops
    branch: main
    strategy: depend
    forward:
      pipeline_variables: true
  

file1-ci.yml(Downstream)

stages:
  - deploy-dev

deploy-dev:
  stage: deploy-dev
  before_script:
    - echo "Starting deployment to development environment"
    - wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq &&\
    - chmod +x /usr/local/bin/yq
    - git config --global user.name gitlabci-bot
    - git config --global user.email gitlabci-bot@online-boutique.com 

  script:
    - git checkout main
    - yq -i "(.images[] | select(.name == \"$MS_NAME\") | .newTag) = \"$MS_VERSION\"" overlays/dev/kustomization.yaml
    - git add overlays/dev/kustomization.yaml
    - git commit -m "Update $MS_NAME to version $MS_VERSION"
    - git push -o ci.skip "https://${GIT_PUSH_USERNAME}:${GIT_PUSH_PASSWORD}@gitlab.com:devsecops-projects2/online-botique-gitops.git"
    

  rules:
  - if: $CI_PIPELINE_SOURCE == "pipeline"
    when: always
  - when: never

I removed the variables on the upstream and it was able to trigger the downstream pipeline. I don’t know what could be the cause

Problem:

You’re seeing this error:

“Downstream pipeline cannot be created insufficient permission to set variable”

Because GitLab does not allow you to pass variables from one project to another unless:

• The triggering user has “Maintainer” or higher access to the downstream project.
• The variables being passed are not protected unless the triggering pipeline runs on a protected branch or tag.

Why it works when you remove MS_NAME and MS_VERSION:

Because GitLab blocks variable forwarding when:

• You try to pass custom variables (MS_NAME, MS_VERSION) from a non-protected pipeline into another project without the right permissions.

When you remove the variables, GitLab skips that security check.

How to fix:

Option 1: Make sure you have the right permissions

• The user running the upstream pipeline (e.g., a CI token or job token) must have at least Maintainer access to the downstream project.

If you use project access tokens or trigger tokens, they must have proper roles in the downstream project.

Option 2: Move variables to downstream project

Instead of sending variables from the upstream, define them in the downstream project’s CI/CD variables, or hardcode them in the downstream YAML for now.

Option 3: Trigger from a protected branch

If you want to pass protected or custom variables, make sure:

• The upstream pipeline runs on a protected branch (like main)
• The variables are not marked as “protected” unless the branch is protected.

Example fix in .gitlab-ci.yml (Upstream)

Make sure you’re using:

trigger:
  project: devsecops-projects2/online-botique-gitops
  branch: main
  strategy: depend
  forward:
    pipeline_variables: true

…AND the job runs from a protected branch, or the variables are not marked as “protected” in GitLab UI.

Summary: