Access forbidden error when using gitlab-runner exec docker

Hello all,
I get an “access forbidden error” when using gitlab-runner exec with docker on OSX:

~/work/brainbox.master $ gitlab-runner exec docker build       
Running with gitlab-runner 10.6.0 (a3543a27)
Using Docker executor with image ...
Pulling docker image ...
ERROR: Preparation failed: Error response from daemon: Get denied: access forbidden
FATAL: Error response from daemon: Get denied: access forbidden

My config.toml is the following:

~/work/brainbox.master $ cat ~/.gitlab-runner/config.toml 
concurrent = 1
check_interval = 0

  name = "udara.kalis.local"
  url = ""
  token = "{elided}"
  executor = "docker"
    tls_verify = false
    image = "ubuntu"
    privileged = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0

The head of my .gitlab-ci.yml is.

~/work/brainbox.master $ head -10 .gitlab-ci.yml 
 - build
 - cleanup
 - test
 - deploy

During gitlab-runner registration, I set the token to the CI runner token from the Gitlab project’s CI/CD page. 2FA is enabled on this project.

At a loss on how to proceed, so any suggestions are welcome… thank you!

I may be wrong but I think that when you run the job like this you would need to run

docker login

first. I suspect the runner token only comes into play when a job is triggered via the CI system.