Can't access container registry from subgroup with group deploy token

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

First, the project structure:

rootGroup
   projectA
   projectB
   subgroup
      projectC

1. Only rootGroup has a group deploy token named gitlab-deploy-token (as per docs) with scopes read_registry, write_registry.
2. projectA pushes build results to ${CI_REGISTRY}/rootGroup/projectA, authenticates with echo "${CI_DEPLOY_PASSWORD}" | docker login -u "${CI_DEPLOY_USER}" --password-stdin ${CI_REGISTRY}. All good.
3. projectB needs to pull${CI_REGISTRY}/rootGroup/projectA before build, authenticates with echo "${CI_DEPLOY_PASSWORD}" | docker login -u "${CI_DEPLOY_USER}" --password-stdin ${CI_REGISTRY}. All good.
4. projectC needs to pull${CI_REGISTRY}/rootGroup/projectA before build, authenticates with echo "${CI_DEPLOY_PASSWORD}" | docker login -u "${CI_DEPLOY_USER}" --password-stdin ${CI_REGISTRY}. Access deined

#4 [internal] load metadata for ${CI_REGISTRY}/rootGroup/projectA:latest
#4 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

It seems to me, that group deploy token is not propagated to the subgroups (and, to my understanding, it should).

Creating separate group deploy token named gitlab-deploy-token in the subgroup does not resolve this situation.

I've found the similar situation in the comment from #285495 (closed) and as far as I can see, it was, finally, resolved for nuget, but I'm facing the same situation with the container registry.

Let me tag @trizzi who closed #285495 (closed) recently to attract some attention to this one.

I'm using self-hosted Gitlab v16.2.4