Container registry login works, pull fails for gitlab-ci-token

Some pipeline/jobs are failing suddenly, with no changes to docker runner (but have upgraded that now).

To illustrate the problem (which I have reproduced in a test project).
One project builds a docker image (for test use FROM ubuntu:20.04) and pushes into the container registry. The project is set to private access control.

Then a different project, using the same user to trigger the pipeline via commit:

  • docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
  • docker pull $CI_REGISTRY/rohanmars/test-image:1.0.0-SNAPSHOT

It then gets the following error:
$ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See Login Succeeded
$ docker -D --log-level debug pull $CI_REGISTRY/rohanmars/test-image:1.0.0-SNAPSHOT Error response from daemon: pull access denied for, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

If I separately do a docker login/pull from my local machines to that same image it works.

Is there something I’m missing? Is this functionality not supported anymore?

This started happening to me as well 3 days ago, but only in a specific project.