Pull access denied for gitlab registry for non-maintainer of container project in cicd jobs after upgrade

How to Use GitLab Self-managed
, , ,
1

Requested access to the resource is denied for non-maintainers of container project

After upgrading some versions ago (i think somewhere between 16.8->16.9->16.10), images pulled during a ci/cd job from the docker registry on the same server (self-managed) which could be pulled before run into an permission error with the gitlab registry of a project if authenticated with a job token while triggered from user context with non-maintainer rights in the corresponding container project.

What I expect, and what worked some versions ago:

  • Project A has a CICD config which uses a docker image from project B on the same server

  • Pipeline triggering user USER is developer on project A and has access (no matter what access level) to project B

  • Pipeline runs with docker image from project B and authenticates to registry via Job Token to pull the image

What i get now

Without any modifications to the CICD config, the container registry or the corresponding project, now USER (non-maintainer on B) gets this error when running a pipeline on A:

Running with gitlab-runner 16.11.0 (91a27b2a)
  on PA Mig Runner 7j_q9BTX, system ID: s_e6e1976c40fa
Preparing the "docker" executor
00:03
Using Docker executor with image <image-registry>/<path-to-the-image>:<some-version> ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image <image-registry>/<path-to-the-image>:<some-version> ...
WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for <image-registry>/<path-to-the-image>, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:250:0s)
ERROR: Job failed: failed to pull image "<image-registry>/<path-to-the-image>:<some-versions>" with specified policies [always]: Error response from daemon: pull access denied for <image-registry>/<path-to-the-image>, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:250:0s)

What i tried

  • Adding project A to the allowed list of B did not help

    image
    image3200×802 175 KB

  • Adding User to the group containing B did not help

What helped, but is way beyond practical use

Adding USER as Maintainer for B leads to a running pipeline on A.

Configuration

  • No changes to the project config of A, B or USER config

  • New image generated for B, but without any modifications to the CI (AutoDevOps used)

  • Upgraded gitlab versions (see above and below)

Versions

  • Self-managed 16.8. to 16.10