Token user kicking off CD with dependency proxy

HI all, I have a repo that gets updated automatically from a bash script, and uses a group access token. .gitlab-ci.yml is set to pull an image using CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX (have also tried CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX). The group access token role is Developer (have also tried Owner ) and scopes are read_repository, write_repository, read_registry, write_registry . The pipeline kicks off fine when a normal user commits, but when the group access token commits, the CD job fails with the following. If I remove the dependency proxy prefix, it runs fine for the access token. What am I doing wrong? I’m basing my assumption on Dependency Proxy | GitLab. I previously was told I needed to use a group access token instead of a project token, but I’m only now getting a chance to revisit this. Any guidance would be appreciated.

WARNING: Failed to pull image with policy "always": Error response from daemon: unauthorized: authentication required (manager.go:237:0s)
ERROR: Job failed: failed to pull image "fqdn:443/group/dependency_proxy/containers/alpine:latest" with specified policies [always]: Error response from daemon: unauthorized: authentication required (manager.go:237:0s)



  # some ssh setup stuff
  - foo
  - bar

  stage: deploy
    - ssh somebody@fqdn /some/

Using GitLab Enterprise 15.8.1-ee