Container registry access denied from pipeline

The Problem

I’m trying to run a pipeline that pulls a Docker image from the container registry and then pushes it into the GCP registry. The .gitlab-ci.yml file is the following:

stages:
  - docker

push-to-gcp-registry:
  image: docker:20
  services:
    - docker:dind
  stage: docker
  before_script:
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - cat $GCLOUD_SERVICE_KEY | docker login -u _json_key --password-stdin https://eu.gcr.io
  script:
    - docker pull $FRONTEND_IMAGE:$FRONTEND_VERSION
    - docker tag $FRONTEND_IMAGE:$FRONTEND_VERSION eu.gcr.io/$GCLOUD_PROJECT_ID/my-frontend:$FRONTEND_VERSION
    - docker push eu.gcr.io/$GCLOUD_PROJECT_ID/my-frontend:$FRONTEND_VERSION

The image is in another project with respect to the pipeline that I"m trying to run, but the two projects are in the same group, therefore there shouldn’t be any problem pulling it (I already did this in other pipelines).

I configured the four variables that you’re seeing in the script in the CI/CD / Variables section of the project.

This is what happens when the pipeline is run:

$ echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ cat $GCLOUD_SERVICE_KEY | docker login -u _json_key --password-stdin https://eu.gcr.io
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker pull $FRONTEND_IMAGE:$FRONTEND_VERSION
Error response from daemon: pull access denied for registry.gitlab.com/my-group/my-repo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1

The login works correctly, but for some reason the logged user still doesn’t have the right permission to pull the image. I tried to login and pull it from my local Docker daemon and it works flawlessly. I can’t understand what is going on. The project containing the image has the Container registry enabled.

Expected behavior

It should pull the image correctly

1 Like

I have exactly the same issue here. Were you able to solve it?

1 Like

From today I also can’t pull containers from the second public repository in my CI/CD.

ERROR: Job failed: failed to pull image "registry.gitlab.com/user/repo:latest" with specified policies [always]: Error response from daemon: pull access denied for registry.gitlab.com/user/repo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:237:0s)

Edit: fixed by adding my private repository to Token Access :no_mouth:

1 Like

@RikoDEV Are you using the free version ? I am also having the same problem but unable to see the option to allowing access using Token. Appreciate you HELP !

Well, documentation says – all tiers. I will keep exploring.

Yeah, I’m using official gitlab.com free version.

Thanks @RikoDEV for your quick response.
Worked !

1 Like