I want to run a simple test in a CI using an image I stored in another project’s container registry in the gitlab.com server and it fails because I didn’t log into the container registry.
The relevant part of .gitlab-ci.yml is this:
stages:
- test
- build
run_tests:
stage: test
image: ${CI_REGISTRY}${REGISTRY_GROUP_PATH}/images/almalinux-8-perl-io:1.0.0
script:
- perl -c bin/myscript.pl
The variable ${REGISTRY_GROUP_PATH} is configured for the first part of the path which may vary in other registries but is ok.
When I push the repository to gitlab.com the pipeline starts, but I get this error:
Running with gitlab-runner 17.0.0~pre.88.g761ae5dd (761ae5dd)
on green-5.saas-linux-small-amd64.runners-manager.gitlab.com/default xS6Vzpvo, system ID: s_6b1e4f06fcfd
Preparing the "docker+machine" executor 00:04
Using Docker executor with image registry.gitlab.com/pert/teco-obs/pcs/imagenes-base/almalinux-8-perl-io:1.0.0 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/the_registry_group_path/images/almalinux-8-perl-io:1.0.0 ...
WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for registry.gitlab.com/the_registry_group_path/images/almalinux-8-perl-io, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:250:0s)
ERROR: Job failed: failed to pull image "registry.gitlab.com/the_registry_group_path/images/almalinux-8-perl-io:1.0.0" with specified policies [always]: Error response from daemon: pull access denied for registry.gitlab.com/the_registry_group_path/images/almalinux-8-perl-io, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:250:0s)
I understand I should run docker login, but how do I run it before the image is loaded?
If I use before_script: this runs after the image is loaded.
TIA.
Hi,
docker login is technically done behind the scenes automatically by the Runner in this case. Runner uses short lived tokens (CI_JOB_TOKEN) for this and by default is able only to access the project’s container registry.
Therefore, if you want to use an image from another project’s container registry, you must explicitly share it. You can do that by going to the project’s Settings (where your image is stored) > CI/CD > Token Access, section Limit access to this project (this is normally enabled by default) > Add project - here you should add the project that needs access to this image.
This should hopefully solve the issue 
4 Likes
Hi Paula, thanx for your answer.
I’m trying to do as you say.
My projects are something like this:
gitlab.com/my-company-group/my-customer-subgroup/another-subgroup/images/image-1gitlab.com/my-company-group/my-customer-subgroup/another-subgroup/images/image-2gitlab.com/my-company-group/my-customer-subgroup/another-subgroup/a-different-subgroup/my-specific-project
All projects are private (company and customer policies).
I go to image-1 and in Settings > CI/CD > Job token permissions there are 2 options (maybe something new in GL 17.3)
however, when I press “Add group or project” in “CI/CD job token allowlist”, it shows me a search combo but I type the other project name or even a group/subgroup that contains both projects, but neither of these appear in the selection (I tried “my-specific-project”, “my-customer-subgroup” and “my-company-group” to no avail.
Any further help will be greatly appreciated.
Hi,
I’m still on GitLab 16, so I cannot be 100% sure, but, you should be able to type (copy/paste) in the full path from the top-level group. E.g. my-company-group/my-customer-subgroup/another-subgroup/my-specific-project or maybe even gitlab.com/my-company-group/my-customer-subgroup/another-subgroup/my-specific-project → remember to reference projects (not image names or anything else directly).
Hope this helps!
1 Like
Regretfully, it doesn’t allow a plain type or paste, only search. Anyway, with your kind help, I can now ask the proper question in the forum and maybe someone with 17.x experience can help me further.
Thank you again for your help.
1 Like
Found some docs about it, perhaps it helps - GitLab CI/CD job token | GitLab
1 Like
Yeah… the docs seem to say quite about the same as you, the problem is that the search box doesn’t show the projects I want and I can’t just type or paste the name.
I re-phrased the question with what you told me and hopefully some 17-version (or gitlab.com) user can help further.
It looks like you can either setup the credentials on the runner itself or you can try using the DOCKER_AUTH_CONFIG variable.
