I have a gitlab group that holds projects that in turn only contain a single Dockerfile.
So gitlab.com/my_fancy_group contains
I am trying to push docker images from each project to its parent group container registry so that it is easier to pull them. So pulling would be
docker pull registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:latest docker pull registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_2:latest
And it would be as if adding an image file to the group’s container registry.
I have created a deploy token for my_fancy_group that has write_registry scope.
I have added this as a masked variable (user: DEPLOY_USER, pass: DEPLOY_TOKEN) in my_fancy_group as well in order to be able to use it in the projects.
Now in my .gitlab-ci.yml I will run:
- echo $DEPLOY_TOKEN | docker login -u $DEPLOY_USER --password-stdin registry.gitlab.com/my_fancy_group
Which will return
After I run these commands
- docker build -t registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:$CI_COMMIT_TAG . - docker image push registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:$CI_COMMIT_TAG
And I get the error
The push refers to repository [registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1] ... denied: requested access to the resource is denied
I have tested that the image is built ok with a docker run in between build and push
I have tried:
- Logging in registry.gitlab.com again with the Deploy Token, which succeeds but the docker push fails as well.
- Using a different name to amaze_project_to_build_docker_image_1 in case there is some sort of name clash. Docker push fails
- Pushing to registry.gitlab.com/my_fancy_group:$CI_COMMIT_TAG. This succeeds but does not achieve the desired functionality.
It looks like the deploy token will only allow images such as
Is there a way to do this? Or should I stick with separate projects? I guess that in the end it would be the same and I am just nitpicking.
Relevant documentation and posts: