'denied: requested access to the resource is denied when pushing image to gitlab registry

I'm trying to push an image to gitlab registry.

I've done it many times, so I wonder why I get this error.

I build the image with latest tag: 

Successfully tagged registry.gitlab.com/mycompany/rgpd_api:latest

Then I login and I push:

docker login registry.gitlab.com -u gitlab+deploy-token-91931 
docker push registry.gitlab.com/mycompany/rgpd_api:latest

But I get:

The push refers to repository [registry.gitlab.com/mycompany/rgpd_api]
be679cc302b9: Preparing 
denied: requested access to the resource is denied

I gave gitlab+deploy-token-91931 token both read_repository and read_registry rights.

My repo is: 

https://gitlab.com/mycompany/rgpd_api

I checked with docs page: https://docs.gitlab.com/ee/user/project/container_registry.html

But when I do it through Gitlab CI, with gitlab-ci-token

I can push it normally.

I also tried to regenerate a new token, but still same issue.

How can I fix it ?

dockergitlabregistrygitlab-ci


Solution 1:[1]

My error was to use a deploy token to push a image to a registry.

A deploy token can be used to pull an image, but not push it.

So, instead, you can generate a Personal Access Token. You should add at least permissions:

read_registry, write_registry

Solution 2:[2]

I've stumbled upon this question as well and it turns out that

  • Group level Deploy tokens can be used to push images to group level container registry similarly to a PAT token with API access or other applicable scopes.
  • The image must to be tagged with the tag that matches an existing project within the group.
  • Any image tagged differently will be rejected with the denied: requested access to the resource is denied error message.

So, with the setup below:

  • GitLab group called mytest
  • Project within that group called hello-world
  • Docker image tagged as registry.gitlab.com/mytest/hello-world
  • Deploy token created for an entire group
  • Docker daemon authorized to push to that registry by cat "<deploy_token>" | docker login -u "<token_username>" --password-stdin registry.gitlab.com

You will get the following results:

  • Successful push for docker push registry.gitlab.com/mytest/hello-world because such project exists within the group
  • denied: requested access to the resource is denied if you try to push an image tagged with the name of the project that does not exist in the group like docker push registry.gitlab.com/mytest/no-project

So, again, image must be tagged to match an existing path within te group, like an existing project within the group or a subgroup.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Juliatzin
Solution 2

Related Questions

How to backup/export Gitlab CI environment variables?

clone an existing project in gitLab

gitlab-ce 12.X : how do I find the hashed storage path of a repository on the server?

Lighthouse GitLab CI for a Jekyll website times out

git ignore .env files not working

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Retrieving a CI variable from Gitlab project and use it within Dockerfile

How to git clone with username and password in gitlab?

Script command using ":" causing error in .gitlab-ci.yml execution

How do i setup Slack Notifications for Gitlab scheduled pipelines only?

How do i setup Slack Notifications for Gitlab scheduled pipelines only?

How to step into NuGet packages outside of debug session

Gitlab-CI with Docker executor /usr/bin/bash: line 90: git: command not found

How to limit a job in gitlab ci to a tag matching a pattern?

SSH-Key not recognized "receive packet: type 51" in Gitlab-CE