This GitLab error occurs when you attempt an action that requires Maintainer or Owner role, but your current permissions are insufficient. Common triggers include pushing to protected branches, managing project settings, or modifying CI/CD configurations.
This error indicates that your GitLab account lacks the necessary permissions to complete the requested action. GitLab uses a role-based access control system with five permission levels: Guest, Reporter, Developer, Maintainer, and Owner. Each role has progressively more capabilities. When you see "You need maintainer access to perform this action," GitLab is telling you that the operation you're attempting is restricted to users with the Maintainer role or higher (Owner). Your current role—likely Developer or below—doesn't include this permission. Common actions that require Maintainer access include: - Pushing directly to protected branches - Managing protected branch/tag settings - Configuring project CI/CD runners and variables - Editing project settings and webhooks - Managing project members and their roles - Approving merge requests to protected branches (depending on settings) - Managing releases and deployment configurations
First, verify what role you actually have in the project:
1. Navigate to the GitLab project
2. Go to Manage > Members (or Project information > Members in older versions)
3. Find your username in the members list
4. Check the Role column to see your current access level
Understanding roles:
| Role | Access Level |
|------|--------------|
| Guest (10) | View issues, leave comments |
| Reporter (20) | Clone, create issues and merge requests |
| Developer (30) | Push to non-protected branches, manage issues |
| Maintainer (40) | Push to protected branches, manage project settings |
| Owner (50) | Full access including deletion and transferring |
If your role is Developer or below, you'll need to request an upgrade to Maintainer.
If you need Maintainer access, request it from the project Owner or an existing Maintainer:
Option 1: Use GitLab's built-in access request
1. Navigate to the project page
2. Click the vertical ellipsis menu (three dots) in the upper right
3. Select Request Access
4. An email notification is sent to up to 10 recently active Maintainers/Owners
Option 2: Contact the Owner directly
- Check the Members page to identify project Owners
- Send them a message explaining why you need elevated access
Option 3: If you're in an organization
- Contact your GitLab administrator
- Check if there's a formal process for access requests
- Review if a team/group already has the access you need
Note: Only Owners can grant Owner role. Maintainers can grant up to Maintainer role to others.
If you can push to some branches but not others, the target branch might be protected:
1. Go to Settings > Repository > Protected branches
2. Find the branch you're trying to push to (e.g., main, master)
3. Check the "Allowed to push and merge" settings
Protected branch settings:
- No one - Branch is locked, only merge requests allowed
- Maintainers - Only Maintainers and Owners can push directly
- Developers + Maintainers - Developers can also push
- Specific users - Only named users can push
Workaround if you can't get Maintainer access:
# Create a feature branch instead
git checkout -b feature/your-changes
# Push to your feature branch
git push origin feature/your-changes
# Then create a Merge Request to the protected branchThis follows GitLab's intended workflow where protected branches receive changes only through reviewed merge requests.
For protected branches, the recommended workflow is to use Merge Requests:
# Make sure you're not on the protected branch
git checkout -b feature/my-changes main
# Make your changes and commit
git add .
git commit -m "Your commit message"
# Push to your feature branch
git push origin feature/my-changesThen in GitLab:
1. Navigate to your project
2. Click Create merge request (GitLab may prompt this automatically)
3. Set the target branch to the protected branch (e.g., main)
4. Add a description and assign reviewers
5. Submit the merge request
Merge Request approval requirements:
- Some projects require approvals before merging
- Check Settings > Merge requests > Approval rules
- Even as a Developer, you can create MRs that Maintainers can merge
If you're using a Personal Access Token or Deploy Token, verify it has sufficient scopes:
Check Personal Access Token scopes:
1. Go to your User Settings > Access Tokens
2. Review the token you're using
3. Ensure it has the required scopes:
- write_repository - Push to repositories
- api - Full API access (includes repository access)
- read_repository - Clone repositories
For Project Access Tokens:
1. Go to Settings > Access Tokens in the project
2. Check the role assigned to the token
3. The token inherits permissions based on its role (Guest, Reporter, Developer, Maintainer)
Create a new token with correct permissions:
# Test your current authentication
git push --dry-run origin main
# If using HTTPS, update your credential
git config --global credential.helper store
# Then push and enter new token when promptedNote: Even with a valid token, you cannot exceed your user's role permissions. A token can only do what your account is allowed to do.
Some GitLab actions require direct project membership rather than inherited access through groups:
Understanding membership types:
- Direct members - Added directly to the project
- Inherited members - Access through parent group membership
- Shared members - Access through group sharing
Potential issues with inherited access:
- Some operations require direct membership
- Group-level restrictions may override project permissions
- Membership lock at group level can prevent changes
Check your membership type:
1. Go to Manage > Members
2. Look at the Source column
3. "Direct member" shows you were added to the project
4. A group name indicates inherited access
If you have inherited access but need direct:
- Ask a project Owner to add you directly to the project
- This may give you different (potentially higher) permissions
Group membership lock:
If the project belongs to a group with "Membership lock" enabled, the project cannot have its own members - all access must come through the group. Contact the group Owner to adjust permissions.
If the error occurs during CI/CD operations, check runner and variable permissions:
Protected CI/CD variables:
1. Go to Settings > CI/CD > Variables
2. Check if the variable has "Protected" enabled
3. Protected variables are only available to protected branches/tags
Protected runners:
- Some runners may be configured to only run on protected branches
- Check Settings > CI/CD > Runners for runner settings
Common CI/CD permission issues:
# In .gitlab-ci.yml, some jobs may require elevated permissions
deploy:
script:
- deploy.sh
rules:
- if: $CI_COMMIT_BRANCH == "main"
# This job only runs on protected 'main' branch
# Requires Maintainer access to trigger manuallySolutions:
- Use merge request pipelines instead of pushing directly
- Ask a Maintainer to run protected jobs
- Request CI/CD variable access through your team lead
If you've tried the above steps and still can't resolve the issue:
For self-managed GitLab:
- Contact your GitLab administrator
- They can check audit logs for permission changes
- Admins can grant any role at project or group level
- Check if there are organization-wide policies restricting access
For GitLab.com (SaaS):
- Group/Project Owners are your primary contacts
- Check if the project belongs to a GitLab Ultimate group with compliance features
- Review if there are IP restrictions or other security policies
Information to provide when escalating:
1. The exact error message
2. The action you were trying to perform
3. Your current role (from Members page)
4. The project/group path
5. Whether this worked previously (and what changed)
Audit log check (for Owners/Admins):
- Go to Settings > General > Audit Events
- Look for recent permission changes
- Check if your role was modified
### GitLab Permission Inheritance
GitLab permissions flow downward through the group hierarchy:
- User has Maintainer role in parent group
- All subgroups and projects inherit at least Maintainer access
- Projects can grant additional permissions but cannot reduce inherited ones
However, certain actions still require direct membership:
- Transferring projects to other groups
- Some repository mirroring configurations
- Certain compliance-related actions in Ultimate tier
### Protected Branch Bypass
In some cases, even Maintainers cannot push to protected branches. Check if:
- "No one" is selected for push permissions
- Code Owners approval is required
- Push rules reject the commits (file size, secrets, etc.)
# Check why push is rejected
GIT_TRACE=1 git push origin main 2>&1### Access Token Role Limitations
Project Access Tokens and Group Access Tokens have role limits:
- Token cannot have higher role than the user who created it
- Tokens created by Maintainers can be at most Maintainer level
- Bot users from tokens appear in audit logs
### SAML/LDAP Group Sync Issues
If your organization uses SAML SSO or LDAP:
- Roles may be synced from external identity provider
- Local role changes may be overwritten on next sync
- Check with your IT team if roles keep reverting
### API Workarounds
For automated workflows, use the GitLab API with appropriate token:
# Check your access level via API
curl --header "PRIVATE-TOKEN: <your_token>" \
"https://gitlab.com/api/v4/projects/:id/members/all/:user_id"The response includes access_level (30=Developer, 40=Maintainer, 50=Owner).
### Merge Request Approval Rules
Some projects have strict approval requirements:
- Required approvals from specific users/groups
- Code Owners must approve changes to certain files
- Security team approval for sensitive changes
Check Settings > Merge requests > Approval rules to understand what's needed for your MR to be mergeable.
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git