"docker pull" with deploy token fails on registry.gitlab.com - but only on public repos which have restricted docker registry to project members

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

docker login with a Gitlab project deploy token "user" succeeds.

But a subsequent docker pull command fails with the following message - but only on public repos which have restricted docker registry to project members as in https://gitlab.com/kinsecta/kinsecta-web-app/

$ docker login registry.gitlab.com -u gitlab+deploy-token-XXXX
Password: 
Login Succeeded

$ docker pull registry.gitlab.com/kinsecta/kinsecta-web-app/api:1.4.0-SNAPSHOT
Error response from daemon: pull access denied for registry.gitlab.com/kinsecta/kinsecta-web-app/api,
repository does not exist or may require 'docker login': denied: requested access to the resource is denied

☝️ However, pulling the image succeeds if you do docker logout and docker login with your default gitlab.com credentials (username/password or username/personal-access-token)!

Last time it worked for me was July 7. Maybe this helps in tracking down the issue.

Two similar cases have been reported in the Gitlab Forum:

• https://forum.gitlab.com/t/pulling-docker-image-from-gitlab-container-registry-stopped-working-only-for-one-project/70484
• https://forum.gitlab.com/t/python-image-on-shared-runners-cannot-be-pulled-from-docker-hub/71847/5

And another issue #363513 (closed) may be related as well.

Steps to reproduce

• Set up a public project, enable "Container Registry" but restrict it to "Only Project Members".
• Set up a deploy token gitlab+deploy-token-XXXX with permissions read_registry, write_registry.
• Push a docker image to the registry.
• Use another pc or server and perform docker login registry.gitlab.com -u gitlab+deploy-token-XXXX.
• This should work and you should see Login Succeeded.
• Now try to pull the image from the registry with docker pull registry.gitlab.com/group/project/image:tag and it will fail with the above error.

What is the current bug behavior?

The docker pull fails.

What is the expected correct behavior?

docker pull should succeed.

Output of checks

This bug happens on GitLab.com