Can't remove images in bulks using API with non personal access tokens

Problem to solve

removing container registry images (in bulk) using gitlab api without personal access token.

container registry images tags for refrence:
- v1.3.0
- v1.2.0
- v1.2.2
- v1.1.0
- v1.0.0
- latest
- temp-commitsha

the cleanup policy in the gitlab ui is used for cleaning non-version images daily and only keeping the versions. (tags that aren’t vx.x.x are removed except for latest and vx.x.x tags)

what I am trying to achive is removing version tags after a specific action via pipeline or scheduled, however the only avalaible api to remove image’s tags in bulks only accepts personal access tokens with full api scope (some security risks).
is there another way of achiving this?

what I have tried

created a token (container_registry:<registory_path>:delete) following the Obtain token from gitlab approach
then used the created token as shown in its steps but in the Delete registry repository tags in bulk api
it is always giving me Unauthorized message

Versions

  • Self-managed
  • GitLab.com SaaS
  • Dedicated

Versions

  • GitLab v17.4

Did you try the Personal Access Token scope write_registry?

yes it works but still my issue is that we either need to have to create a PAT on one of our accounts or create an account specifaclly with this, issues that we could face:
1- the token is saved in the cicd variables to be able to access it making it avaliable to members with Maintainer/Owner roles
2- there is no event alert on PAT expiration.

I have found a soultion were we can use a CI_JOB_TOKEN but not as PRIVATE_TOKEN it didn’t work so I have tried the Authorization attribute instead and it worked perfectly, however since the CI_JOB_TOKEN inherents the user who ran the job meaning it will not work if the user is a Developer so I have created a scheduled pipeline instead this will folllow the creator role

Eventually create a separate project that manages solely the container registry cleanup in a group of projects, and limit access to a small group (for example, platform engineering / devops team).

Service accounts might come in handy as well, tracking token expiration and permission scopes.