Can't push docker image to gitlab group

I have a gitlab group that holds projects that in turn only contain a single Dockerfile.

So gitlab.com/my_fancy_group contains

  1. gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1
  2. gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_2

I am trying to push docker images from each project to its parent group container registry so that it is easier to pull them. So pulling would be

docker pull registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:latest

docker pull registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_2:latest

And it would be as if adding an image file to the group’s container registry.

I have created a deploy token for my_fancy_group that has write_registry scope.

I have added this as a masked variable (user: DEPLOY_USER, pass: DEPLOY_TOKEN) in my_fancy_group as well in order to be able to use it in the projects.

Now in my .gitlab-ci.yml I will run:

- echo $DEPLOY_TOKEN | docker login -u $DEPLOY_USER --password-stdin registry.gitlab.com/my_fancy_group

Which will return

Login Succeeded

After I run these commands

- docker build -t registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:$CI_COMMIT_TAG .
- docker image push registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:$CI_COMMIT_TAG

And I get the error

The push refers to repository [registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1]
...
denied: requested access to the resource is denied

I have tested that the image is built ok with a docker run in between build and push

I have tried:

  1. Logging in registry.gitlab.com again with the Deploy Token, which succeeds but the docker push fails as well.
  2. Using a different name to amaze_project_to_build_docker_image_1 in case there is some sort of name clash. Docker push fails
  3. Pushing to registry.gitlab.com/my_fancy_group:$CI_COMMIT_TAG. This succeeds but does not achieve the desired functionality.

It looks like the deploy token will only allow images such as
https://registry.gitlab.com/my_fancy_group:$CI_COMMIT_TAG

Is there a way to do this? Or should I stick with separate projects? I guess that in the end it would be the same and I am just nitpicking.

Relevant documentation and posts:
https://gitlab.com/gitlab-org/gitlab/-/issues/23315
https://docs.gitlab.com/ee/user/packages/container_registry/#image-naming-convention

https://www.reddit.com/r/gitlab/comments/ft2dbk/allowing_runner_to_push_to_container_registry/