I am trying to trigger a pipeline from another pipeline in gitlab but I continue to see this error “Downstream pipeline cannot be created insufficient permission to set variable”
file1-ci.yml(Upstream)
stages:
- unit_test
- security_scan
- build_and_push
- deploy_pipeline
variables:
MS_NAME: gcr-adservice
MS_VERSION: v0.8.0
trigger_deploy_pipeline:
stage: deploy_pipeline
trigger:
project: devsecops-projects2/online-botique-gitops
branch: main
strategy: depend
forward:
pipeline_variables: true
file1-ci.yml(Downstream)
stages:
- deploy-dev
deploy-dev:
stage: deploy-dev
before_script:
- echo "Starting deployment to development environment"
- wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq &&\
- chmod +x /usr/local/bin/yq
- git config --global user.name gitlabci-bot
- git config --global user.email gitlabci-bot@online-boutique.com
script:
- git checkout main
- yq -i "(.images[] | select(.name == \"$MS_NAME\") | .newTag) = \"$MS_VERSION\"" overlays/dev/kustomization.yaml
- git add overlays/dev/kustomization.yaml
- git commit -m "Update $MS_NAME to version $MS_VERSION"
- git push -o ci.skip "https://${GIT_PUSH_USERNAME}:${GIT_PUSH_PASSWORD}@gitlab.com:devsecops-projects2/online-botique-gitops.git"
rules:
- if: $CI_PIPELINE_SOURCE == "pipeline"
when: always
- when: never
I removed the variables on the upstream and it was able to trigger the downstream pipeline. I don’t know what could be the cause
Problem:
You’re seeing this error:
“Downstream pipeline cannot be created insufficient permission to set variable”
Because GitLab does not allow you to pass variables from one project to another unless:
- The triggering user has “Maintainer” or higher access to the downstream project.
- The variables being passed are not protected unless the triggering pipeline runs on a protected branch or tag.
Why it works when you remove MS_NAME
and MS_VERSION
:
Because GitLab blocks variable forwarding when:
- You try to pass custom variables (
MS_NAME
, MS_VERSION
) from a non-protected pipeline into another project without the right permissions.
When you remove the variables, GitLab skips that security check.
How to fix:
Option 1: Make sure you have the right permissions
- The user running the upstream pipeline (e.g., a CI token or job token) must have at least Maintainer access to the downstream project.
If you use project access tokens or trigger tokens, they must have proper roles in the downstream project.
Option 2: Move variables to downstream project
Instead of sending variables from the upstream, define them in the downstream project’s CI/CD variables, or hardcode them in the downstream YAML for now.
Option 3: Trigger from a protected branch
If you want to pass protected or custom variables, make sure:
- The upstream pipeline runs on a protected branch (like
main
)
- The variables are not marked as “protected” unless the branch is protected.
Example fix in .gitlab-ci.yml
(Upstream)
Make sure you’re using:
trigger:
project: devsecops-projects2/online-botique-gitops
branch: main
strategy: depend
forward:
pipeline_variables: true
…AND the job runs from a protected branch, or the variables are not marked as “protected” in GitLab UI.
Summary:
Cause |
Fix |
Insufficient permission to pass variables |
Give the triggering user Maintainer access to downstream project |
Protected variables passed from non-protected branch |
Run upstream job on a protected branch |
GitLab blocks variable forwarding by default |
Use forward: pipeline_variables: true and ensure proper permissions |