Access forbidden error when using gitlab-runner exec docker

Hello all,
I get an “access forbidden error” when using gitlab-runner exec with docker on OSX:

~/work/brainbox.master $ gitlab-runner exec docker build       
Running with gitlab-runner 10.6.0 (a3543a27)
Using Docker executor with image registry.gitlab.com/brainboxcapital/brainbox:latest ...
Pulling docker image registry.gitlab.com/brainboxcapital/brainbox:latest ...
ERROR: Preparation failed: Error response from daemon: Get https://registry.gitlab.com/v2/brainboxcapital/brainbox/manifests/latest: denied: access forbidden
FATAL: Error response from daemon: Get https://registry.gitlab.com/v2/brainboxcapital/brainbox/manifests/latest: denied: access forbidden

My config.toml is the following:

~/work/brainbox.master $ cat ~/.gitlab-runner/config.toml 
concurrent = 1
check_interval = 0

[[runners]]
  name = "udara.kalis.local"
  url = "https://gitlab.com/"
  token = "{elided}"
  executor = "docker"
  [runners.docker]
    tls_verify = false
    image = "ubuntu"
    privileged = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]

The head of my .gitlab-ci.yml is.

~/work/brainbox.master $ head -10 .gitlab-ci.yml 
image: registry.gitlab.com/brainboxcapital/brainbox:latest
stages:
 - build
 - cleanup
 - test
 - deploy

During gitlab-runner registration, I set the token to the CI runner token from the Gitlab project’s CI/CD page. 2FA is enabled on this project.

At a loss on how to proceed, so any suggestions are welcome… thank you!

I may be wrong but I think that when you run the job like this you would need to run

docker login registry.gitlab.com

first. I suspect the runner token only comes into play when a job is triggered via the CI system.