Pushing images from multiple Gitlab Project fails in CI of main project

I am trying to automate the deployment from our staging to production, by simply tagging the images in our staging as production ready and pushing them to the registry prior to deploying them to the production systems and do this through schedules in CI.

My Project builds a few of it’s own images and it also pulls in some images from some of our other projects. I can push the images which “belong” to the project where CI is running using the CI_REGISTRY_USER, but if the image “belongs” to another project then this fails with permission denied.

The script looks like

 images=$(docker image ls | awk '/gitlab.acme.com:4567/ { print $1 }' | sort -u)
 for image in ${images}
     existing=$(echo ${image}:${from_tag})
     new=$(echo ${image}:${to_tag})
     docker tag ${existing} ${new}
     docker push ${new}

The CI is running for acme/abc so all gitlab.acme.com:4567/acme/abc:prod images push ok, but any that are like gitlab.acme.com:4567/acme/def:prod fail to push.

is this user restricted to accessing the active project?

Do I have to create a service user with an access token to do this?