Project access token: interaction between role and scope for registry


I want to understand what are the interaction in project access token between the role and the scope fields because I failed to understand while troubleshooting a permission issue on registry.

A kubernetes service account created with a token with scope read_registry and role guest received an error 401 from the gitlab registry with message.

pull access denied, repository does not exist or may require authorization:
server message: insufficient_scope: authorization failed

I choose role guest because the token did not have to interact with the project itself (like creating issues, …).

Viewing the message insufficient_scope, I create a new token with role set to reporter, after that, pulling was possible. But now I’m concerned about the security of the project.

I read Project access tokens | GitLab but I did not find explanation on role and the interaction with scope in the documentation page.

Can someone clarify this ?


gitlab version: 15.7

is there somebody who can help for that ?

I’d also be interested in an answer.

I found the answer here: Permissions and roles | GitLab

which has footnote (19) " The ability to view the Container Registry and pull images is controlled by the Container Registry’s visibility permissions."

which notes that Guests are restricted to only public projects with everyone access or internal projects with everyone access.

Other role info is available in the first link, my assumption is that with only the read_registry scope enabled anything else will fail (role & scope permissions are AND not OR) but I haven’t verified that myself.

1 Like