"docker pull" with deploy token fails on registry.gitlab.com - but only on public repos which have restricted docker registry to project members
Summary
docker login
with a Gitlab project deploy token "user" succeeds.
But a subsequent docker pull
command fails with the following message - but only on public repos which have restricted docker registry to project members as in https://gitlab.com/kinsecta/kinsecta-web-app/
$ docker login registry.gitlab.com -u gitlab+deploy-token-XXXX
Password:
Login Succeeded
$ docker pull registry.gitlab.com/kinsecta/kinsecta-web-app/api:1.4.0-SNAPSHOT
Error response from daemon: pull access denied for registry.gitlab.com/kinsecta/kinsecta-web-app/api,
repository does not exist or may require 'docker login': denied: requested access to the resource is denied
docker logout
and docker login
with your default gitlab.com credentials (username/password or username/personal-access-token)!
Last time it worked for me was July 7. Maybe this helps in tracking down the issue.
Two similar cases have been reported in the Gitlab Forum:
- https://forum.gitlab.com/t/pulling-docker-image-from-gitlab-container-registry-stopped-working-only-for-one-project/70484
- https://forum.gitlab.com/t/python-image-on-shared-runners-cannot-be-pulled-from-docker-hub/71847/5
And another issue #363513 (closed) may be related as well.
Steps to reproduce
- Set up a public project, enable "Container Registry" but restrict it to "Only Project Members".
- Set up a deploy token
gitlab+deploy-token-XXXX
with permissionsread_registry
,write_registry
. - Push a docker image to the registry.
- Use another pc or server and perform
docker login registry.gitlab.com -u gitlab+deploy-token-XXXX
. - This should work and you should see
Login Succeeded
. - Now try to pull the image from the registry with
docker pull registry.gitlab.com/group/project/image:tag
and it will fail with the above error.
What is the current bug behavior?
The docker pull
fails.
What is the expected correct behavior?
docker pull
should succeed.
Output of checks
This bug happens on GitLab.com