docker login with impersonation token with scope `read_registry` fails
Logging in to the docker registry with an impersonation token that has the scope
The impersonation token allows to set the scope
read_registry so I'd expect this to work. Also from reading the docs, I'd conclude that this should work:
To authenticate, you can use: A personal access token.
Impersonation tokens are a type of personal access token
Steps to reproduce
- Create an impersonation token with scope
docker login -u myuser -p <impersonation-token>
What is the current bug behavior?
docker login fails.
$ docker login docker.example.com -u deploy-user -p <impersonation-token> WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://docker.example.com/v2/: denied: access forbidden
What is the expected correct behavior?
The login should success as it does with a personal access token.
Relevant logs and/or screenshots
Works with a personal access token:
$ docker login docker.example.com -u myuser -p <personal access token> WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
Results of GitLab environment info