This error occurs when Bitbucket's branch permissions or restrictions block your push attempt. The branch is typically protected to require pull requests, or your user account lacks write access to the target branch.
When you push to a Bitbucket repository and receive "You don't have permission to push to this branch," it means branch-level restrictions are preventing direct pushes. This is different from repository-level permissions—you may have write access to the repository overall but still be blocked from pushing to specific branches. Bitbucket offers several branch protection mechanisms: - **Prevent changes without a pull request** - All changes must go through the PR workflow - **Prevent all changes** - Completely blocks pushes to matching branches - **Prevent rewriting history** - Blocks force pushes and rebases - **Write access restrictions** - Only specific users or groups can push This error commonly appears when: 1. Pushing directly to main, master, develop, or release branches that require PRs 2. Your account isn't in the "Write Access" allowlist for the branch 3. You're using an access token which doesn't support bypassing branch restrictions 4. CI/CD pipelines attempt to push without proper permissions 5. Branch protection was recently added by an administrator
The standard workflow for protected branches is to use pull requests:
# Create a feature branch from your current changes
git checkout -b feature/your-changes
# If you already committed to the protected branch, reset it
# and move your commits to the feature branch
git checkout main
git reset --hard origin/main
git checkout feature/your-changes
# Push the feature branch
git push -u origin feature/your-changesThen create a pull request in Bitbucket:
1. Go to your repository on Bitbucket
2. Click Create pull request
3. Select your feature branch as source and the protected branch as destination
4. Add reviewers and submit the PR
This is the intended workflow when branch protection is enabled.
Review the branch permissions to understand what's blocking you:
For Bitbucket Cloud:
1. Go to your repository on Bitbucket
2. Navigate to Repository settings > Branch restrictions
3. Find the rule for your target branch (e.g., main, master, develop)
4. Click Edit to see the current restrictions
For Bitbucket Data Center/Server:
1. Go to the repository or project settings
2. Navigate to Branch permissions
3. Review the restrictions for your target branch
Look for these settings:
- Prevent changes without a pull request - Requires PR workflow
- Write access - Shows who can push directly
- Prevent rewriting history - Blocks force push/rebase
If you need to push directly to the protected branch, ask an administrator to add you:
For Bitbucket Cloud:
1. Admin goes to Repository settings > Branch restrictions
2. Edit the branch restriction rule
3. In Write access section, select "Only specific people or groups have write access"
4. Add your username or your team/group
5. Click Save
For Bitbucket Data Center/Server:
1. Admin goes to Branch permissions
2. Click Add permission or edit existing rule
3. Add your user or group as an exemption to the restriction
4. Save the changes
Note: Being added as an exemption means the restriction will not apply to you, allowing direct pushes.
Bitbucket branch restrictions currently don't work well with access tokens. Switch to SSH authentication:
Step 1: Generate an SSH key (if needed)
# Generate a new SSH key
ssh-keygen -t ed25519 -C "[email protected]"
# Start the SSH agent
eval "$(ssh-agent -s)"
# Add your key to the agent
ssh-add ~/.ssh/id_ed25519Step 2: Add the key to your Bitbucket account
1. Copy your public key: cat ~/.ssh/id_ed25519.pub
2. Go to Personal Bitbucket settings > SSH keys
3. Click Add key and paste your public key
4. Save
Step 3: Update your repository to use SSH
# Check current remote URL
git remote -v
# Change to SSH URL
git remote set-url origin [email protected]:workspace/repository.git
# Verify the change
git remote -vImportant: Add the SSH key to your personal account, not to the workspace or repository level. Repository-level keys are read-only.
Ensure your SSH configuration properly identifies to Bitbucket:
Edit ~/.ssh/config:
Host bitbucket.org
HostName bitbucket.org
User git
IdentityFile ~/.ssh/id_ed25519
AddKeysToAgent yes
IdentitiesOnly yesTest the connection:
ssh -T [email protected]You should see a message like:
authenticated via ssh key.
You can use git to connect to Bitbucket.If you see your username in the response, SSH is correctly configured. If not, the wrong key may be offered.
If you're trying to force push (e.g., after a rebase), you need additional permissions:
For Bitbucket Cloud:
1. Admin goes to Repository settings > Branch restrictions
2. Edit the branch restriction rule
3. Check Allow rewriting branch history
4. Save changes
For Bitbucket Data Center/Server:
1. Admin edits the branch permission
2. Ensure "Prevent rewriting history" is not enabled, or add your user as an exemption
Alternative: Avoid force push
# Instead of rebasing, merge to avoid force push
git checkout feature-branch
git merge main
git push origin feature-branch
# Then update your PR - it will now include the merge commitForce pushing to shared branches is generally discouraged as it can disrupt other developers.
If your CI/CD pipeline needs to push (e.g., version bumps, changelog updates):
Option 1: Use a deployment SSH key
1. Generate a dedicated SSH key for CI/CD
2. Add it to Bitbucket:
- For Bitbucket Cloud: Add to repository Access keys with write access
- Or add to the workspace SSH keys for broader access
3. Configure your CI to use this key
4. Add the CI user to branch restriction exemptions
For Bitbucket Pipelines:
pipelines:
default:
- step:
script:
- git push origin main
# Pipeline has its own SSH key - ensure it's allowed in branch restrictionsOption 2: Use App password (for HTTPS)
1. Create an App password in Personal settings
2. Grant Repository Read/Write permissions
3. Use in CI as: https://username:[email protected]/...
4. Note: May still be blocked by branch restrictions
Option 3: Modify workflow to use PRs
Have CI create a PR instead of pushing directly:
# Create branch and push
git checkout -b release/v1.2.3
git push -u origin release/v1.2.3
# Use Bitbucket API to create PR
curl -X POST -H "Authorization: Bearer $BB_TOKEN" \
"https://api.bitbucket.org/2.0/repositories/workspace/repo/pullrequests" \
-d '{"title": "Release v1.2.3", "source": {"branch": {"name": "release/v1.2.3"}}}'If Git is authenticating with the wrong Bitbucket account:
On Windows (Credential Manager):
1. Open Control Panel > Credential Manager > Windows Credentials
2. Find entries for git:https://bitbucket.org or bitbucket.org
3. Click Remove to delete cached credentials
Or via command line:
cmdkey /delete:git:https://bitbucket.orgOn macOS (Keychain):
# Remove Bitbucket credentials from Keychain
git credential-osxkeychain erase
host=bitbucket.org
protocol=https
# Press Enter twiceOn Linux:
# If using store helper
grep -v bitbucket.org ~/.git-credentials > temp && mv temp ~/.git-credentials
# If using cache helper
git credential-cache exitAfter clearing credentials, Git will prompt for authentication on the next push.
### Branch Permissions Hierarchy
Bitbucket checks permissions in this order:
1. Global permissions (site-wide for Data Center)
2. Project permissions (applies to all repos in project)
3. Repository permissions (repo-level access)
4. Branch permissions (branch-specific restrictions)
You can have write access at the repository level but still be blocked by branch-level restrictions.
### Access Token Limitations
As of 2024, Bitbucket access tokens cannot bypass branch restrictions. This is a known limitation tracked in BCLOUD-22400. Workarounds include:
- Use SSH keys instead of access tokens
- Temporarily disable branch restrictions for automated pushes
- Use the PR workflow for CI/CD changes
### Bitbucket Cloud vs Data Center Differences
Bitbucket Cloud uses "Branch restrictions" in repository settings, while Bitbucket Data Center/Server uses "Branch permissions" at project or repository level. The configuration UI differs but concepts are similar.
### Model Branch Patterns
Bitbucket supports branch patterns for permissions:
- main - Exact match
- release/* - Wildcard matching
- **/feature-* - Glob pattern
- Or use the Branching Model to protect all "Production" or "Development" branches
### Workspace vs Repository SSH Keys
- Personal SSH keys: Full access matching your account permissions
- Workspace SSH keys: Access to all repos in workspace
- Repository SSH keys: Read-only by default, limited to single repo
For push access, use personal or workspace-level keys.
### Pre-receive Hook Declined
The error "pre-receive hook declined" is Bitbucket's generic message for server-side rejection. Common causes:
1. Branch restrictions (most common)
2. GPG signature required but commit unsigned (Premium feature)
3. Repository over 2GB size limit (becomes read-only)
4. Custom hooks rejecting the push (Data Center)
### Debugging Push Rejections
Enable verbose output to see more details:
GIT_TRACE=1 GIT_CURL_VERBOSE=1 git push origin main 2>&1The output shows the authentication method and server response, helping identify whether it's an auth or permission issue.
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git