Child Job cannot access gitlab registry

Gitlab CI Dynamic Child Job login to gitlab registry

Hi Gitlab users! I have been experimenting with Dynamic Child pipelines and have stumbled across a weird issue:

I have a requirement for a child job in my GitLab pipeline to authenticate to the gitlab registry.

When the parent job runs it logins to the registry with:

docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.gitlab.com

This works perfectly on the parent job and I can successfully push the built docker image.

However, I have another image that I need to push from the child pipeline (which runs in the same repository BTW) but I get access denied error when trying to login with the same command.

From what I see on the gitlab ci/cd pipeline documentation, the child job should also run in the same security context of the user on that repository (just like a normal job) but it doesn’t seem to be the
case?

Has anyone experienced this issue before? Or am I missing something?

What I have done to bypass this issue. (This isn’t a long term and preferred workaround. I don’t recommend this on prod env).

  • To bypass this issue, I have had to create a personal access token and use that as env var to login from the child pipeline.

Answering my own question here.

The shell script that was generating the child job yaml was interpreting the $CI_JOB_TOKEN value and inserting the token from the parent job. Hence the job was being generated with the prefilled value from parent job.