Requested access to the resource is denied
for non-maintainers of container project
After upgrading some versions ago (i think somewhere between 16.8->16.9->16.10), images pulled during a ci/cd job from the docker registry on the same server (self-managed) which could be pulled before run into an permission error with the gitlab registry of a project if authenticated with a job token while triggered from user context with non-maintainer rights in the corresponding container project.
What I expect, and what worked some versions ago:
-
Project A has a CICD config which uses a docker image from project B on the same server
-
Pipeline triggering user USER is developer on project A and has access (no matter what access level) to project B
-
Pipeline runs with docker image from project B and authenticates to registry via Job Token to pull the image
What i get now
Without any modifications to the CICD config, the container registry or the corresponding project, now USER (non-maintainer on B) gets this error when running a pipeline on A:
Running with gitlab-runner 16.11.0 (91a27b2a)
on PA Mig Runner 7j_q9BTX, system ID: s_e6e1976c40fa
Preparing the "docker" executor
00:03
Using Docker executor with image <image-registry>/<path-to-the-image>:<some-version> ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image <image-registry>/<path-to-the-image>:<some-version> ...
WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for <image-registry>/<path-to-the-image>, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:250:0s)
ERROR: Job failed: failed to pull image "<image-registry>/<path-to-the-image>:<some-versions>" with specified policies [always]: Error response from daemon: pull access denied for <image-registry>/<path-to-the-image>, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:250:0s)
What i tried
-
Adding project A to the allowed list of B did not help
-
Adding User to the group containing B did not help
What helped, but is way beyond practical use
Adding USER as Maintainer for B leads to a running pipeline on A.
Configuration
-
No changes to the project config of A, B or USER config
-
New image generated for B, but without any modifications to the CI (AutoDevOps used)
-
Upgraded gitlab versions (see above and below)
Versions
- Self-managed 16.8. to 16.10