So far, it looks like rb_bundle_fetch does not support installing gems from private repositories with authentication. I believe this is from the implementation using repository_ctx.download. I believe this could be accomplished by exposing the headers argument here in the rb_bundle_fetch arguments: https://bazel.build/rules/lib/builtins/repository_ctx#download

Example - bundle fetch hits 401 unauthorized here due to no way to pass credentials to request:

rb_bundle_fetch(
    name = "bundle",
    gemfile = "//:Gemfile",
    gemfile_lock = "//:Gemfile.lock",
    env = {
        "BUNDLE_MY_REPO__COM": "username:password",
    }
)

rb_bundle can do this successfully, because these bundler environment variables can pass through:

rb_bundle(
    name = "bundle",
    gemfile = "//:Gemfile",
    env = {
        "BUNDLE_MY_REPO__COM": "username:password",
    }
)

However rb_bundle is to be deprecated and docs recommend using rb_bundle_fetch instead. There are also numerous advantages pointed out in rb_bundle_fetch described here: #48

Or perhaps there is a way to use rb_bundle_fetch with private repos?