Access to registry API from CI pipeline

Looking at the documentation I was under the impression $CI_JOB_TOKEN would have access the following two APIs:

  • GET /api/v4/projects/:id/registry/repositories and
  • DELETE /api/v4/projects/:id/registry/repositories/:repository_id/tags/:tag_name.

This seems to be a fallacy as using the HTTP header Job-Token: $CI_JOB_TOKEN to call the first URL yields HTTP 404 although the URL is valid. Doing so with Private-Token: personal-access-token works.

Which predefined variables can I use to access the registry/repositories API?

Likewise I thought I could use $CI_REGISTRY_USER/$CI_REGISTRY_PASSWORD to access the actual Docker registry API at e.g. https://host:port/v2/group/project/tags/list. Yet, that also seems to be a fallacy as the call fails due to an Unauthorized response. I know I first need to obtain a Bearer token for a user/password combination[1]. Non-CI_REGISTRY_xxx users work fine.

[1] How to interact with the Docker registry API: