Authenticating to Gitlab Docker Registry before starting the CI job

pcorpet · May 27, 2019, 7:43am

I have seen the doc to use a CI job token to authenticate to Gitlab Docker Registry https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#container-registry
as well as the doc to pull an image from a private Docker Registry https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#define-an-image-from-a-private-container-registry

Now I would like to combine both and to be able to use the CI job token to pull the build image from GitLab Docker Registry and use a private image in the “image” field.

Did anyone manage do to that? I mean using CI_JOB_TOKEN instead of a personal user/token in DOCKER_AUTH_CONFIG.

ullrich · August 1, 2019, 12:43pm

Same here,

Our scenario:
We have one repository where we store the docker images that we use to run our CI tests. They get build and pushed to the gitlab registry in a CI job as well.

The runners in the projects shall use the images for their jobs, but are configured with docker:dind. To use the images they need to log in to the gitlab registry with a deploy key of the docker image repo.

eschutte · August 2, 2019, 11:44am

Just leaving this here in case the author finds a solution and is willing to share. I am too facing this issue.
I want to pull an image from a private repository for the CI Job to run in, but the error states that I have to do a ‘docker login’ before that. I cannot however, since this ‘docker login’ would then have to be done on the EC2 instance that is being spun up by our gitlab-runner (docker-machine+ssh).

ullrich · August 2, 2019, 12:33pm

Found the solution yesterday by setting DOCKER_AUTH_CONFIG. I’ll just copy paste what I wrote in our internal Readme:

To be able to use the images (i.e. registry.url:443/group/project/image:version) the CI runner needs to be able to pull the image from this repository (which is private). This can be done by using the DOCKER_AUTH_CONFIG CI variable.

The value can be generated by base64 encoding deploy key credentials for this repo: echo -n "deploy-key-user:deploy-key-secret" | base64
Set it in your client repos CI secrets as CI_DOCKER_AUTH_CONFIG and use it in the .gitlab-ci.yml as such:
  variables:
    DOCKER_AUTH_CONFIG: $CI_DOCKER_AUTH_CONFIG
For more info see: Run your CI/CD jobs in Docker containers | GitLab

pvjpierson · April 25, 2024, 1:49am

Maybe use a before script? The docs linked below have an example.

Topic		Replies	Views
Docker Registry Authentication woes: Using Private Docker Images for builds GitLab CI/CD	0	932	September 30, 2016
Runner cannot pull images from private registry even though the DOCKER_AUTH_CONFIG is correct GitLab CI/CD ci , docker , registry	0	2357	March 24, 2023
Use your own image on GitlabCI GitLab CI/CD docker	3	6422	March 21, 2022
Using Private GitLab Container Registry in GitLab CI GitLab CI/CD	4	3879	December 14, 2024
Simply use Docker Image from Gitlab Container Registry GitLab CI/CD	0	3158	September 22, 2021

Authenticating to Gitlab Docker Registry before starting the CI job

Related topics