Can't use Group deploy token to push image to container registry

I have a project named my-docker-app that contains a single Dockerfile and I have setup CI so that when I push a tag, it should build the image and deploy it to gitlab’s container registry. There will be multiple such projects that will be part of the same group (docker-group). Therefore, I have setup a group deploy token with the correct scope and I am trying to docker login with that in order to push the image.
(see .gitlab-ci.yml below for details)

However, when I try to push I get:
denied: requested access to the resource is denied

I am using


image: docker:stable

   - docker:dind

    DOCKER_HOST: tcp://docker:2375
    DOCKER_DRIVER: overlay2
    DOCKER_GROUP_NAME: docker-group

    - echo $CI_REGISTRY_DEPLOY_TOKEN | docker login -u $CI_REGISTRY_DEPLOY_USER --password-stdin $CI_REGISTRY_IMAGE

        - docker
        - shared

        - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG .
        - docker run $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
        - docker image push $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
        - tags

I have tried logging with the group deploy token in the root folder, in the group folder (, even in the project’s folder ( but to no avail. In all these cases docker login returns Login succeeded but then when you try to push the image I get the error message above.
The only thing that has worked is to push the image$CI_COMMIT_TAG which is not what I want.

Edit: I have built the image$CI_COMMIT_TAG in CI (so that the image name is conforming to image naming convention and tried docker login with a group deploy token in:

    And I still get denied: requested access to the resource is denied.
    Any help is appreciated

OK kind of unintuitive but what fixed it for me was that write_registry scope alone would not allow me to push my docker image.
I had to have write_registry + read_registry scope on my deploy token.