Authorization failed to access image from private container registry (insufficient_scope)
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
- User with Developer access in the
our-orggroup - Container image in the private registry under
our-org/ci/build, user is a member of the groupour-org/ci(Inherited fromour-org) - Repository with pipeline
our-org/team1/my-appthat uses image fromour-org/ci/build
When user runs the pipeline in the repository our-org/team1/my-app
build:
stage: build
image:
name: registry.gitlab.com/our-org/ci/build:3.13.4
...he gets an error:
ERROR: Job failed: prepare environment: waiting for pod running: pulling image "registry.gitlab.com/our-org/ci/build:3.13.4" for container build: image pull failed: failed to pull and unpack image "registry.gitlab.com/our-org/ci/build:3.13.4": failed to resolve reference "registry.gitlab.com/our-org/ci/build:3.13.4": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed.I can run the pipeline without any errors, but I have Owner permissions.
We have other users using the same build image, but they work in another group (e.g. team-2). Also Developer access, no errors.
If I understand this documentation correctly, the user can be added as Developer only to his team group and as a Reporter to ci group and that should be sufficient for the user to run pipeline.
I've looked through the group and repository settings and checked user permissions, but I can't see anything unusual. Perhaps I don't understand how the permissions work or there is a bug. How can I debug this issue?
This is not the first time we have had this issue, but previously it only affected a couple of external freelancers. This is the first time it has affected one of our own team members.