Project access token: interaction between role and scope for registry


I want to understand what are the interaction in project access token between the role and the scope fields because I failed to understand while troubleshooting a permission issue on registry.

A kubernetes service account created with a token with scope read_registry and role guest received an error 401 from the gitlab registry with message.

pull access denied, repository does not exist or may require authorization:
server message: insufficient_scope: authorization failed

I choose role guest because the token did not have to interact with the project itself (like creating issues, …).

Viewing the message insufficient_scope, I create a new token with role set to reporter, after that, pulling was possible. But now I’m concerned about the security of the project.

I read Project access tokens | GitLab but I did not find explanation on role and the interaction with scope in the documentation page.

Can someone clarify this ?


gitlab version: 15.7

is there somebody who can help for that ?