GitLab Docker Registry Push Failed - Access Denied

5
votes

I'm having trouble pushing to GitLab Container Registry.

I can login successfully using my username and a personal access token but when I try to push the image to the registry, I get the following error:

$ docker push registry.gitlab.com/[groupname]/dockerfiles/nodemon

The push refers to a repository 
[registry.gitlab.com/[groupname]/dockerfiles/nodemon]
15d2ea6e1aeb: Preparing 
2260f979a949: Preparing 
f8e848bb8c20: Preparing 
740a5345706a: Preparing 
5bef08742407: Preparing 
denied: requested access to the resource is denied

I assume the issue is not with authentication because when I run a docker login registry.gitlab.com, I get a Login Succeeded message.

Where is the problem?
How should I push my images to GitLab Container Registry?

6
dockergitlabdocker-registry
Does a Git repository exist at [groupname]/dockerfiles/nodemon on GitLab? - gregnr
@gregnr Yes. The Git repo is actually at [groupname]/dockerfiles but GitLab's documentation states that it supports up to 3 levels of image names so [groupname]/dockerfiles/nodemon is a valid name. Btw, using [groupname]/dockerfiles also causes the same issue. - Kayvan Mazaheri
Very strange issue. If you go to your GitLab repo (on browser) > Settings, is Container Registry enabled? - gregnr
@gregnr Yes. it is enabled. - Kayvan Mazaheri
I believe I came across this issue for not having sufficient permissions, I would check if the user who runs the pipeline have the right permissions on that project and if you logged in with the user you are trying to push - Sergiu

6 Answers

5
votes

I got it working by including api scope to my personal access token.

The docs states The minimal scope needed is read_registry. But that probably applies for read only access.

Reference: https://gitlab.com/gitlab-com/support-forum/issues/2370#note_44796408

2
votes

In my case it was really dumb, maybe even a gitlab bug :
I renamed the gitlab project after the creation of the container registry, so the container registry url was still with the old name ...
The project name under gitlab had the typo error corrected but not the registry link and it led to this error

0
votes

Had a similar issue, it was because of the url that was used for tagging and pushing the repo.

It should be

docker push registry.gitlab.com/[account or group-name]/[reponame]/imagename

0
votes

Enable the personal access token by adding api scope as per this guidelines. After creating the token and username, use these credentials for logging into the Docker environment or pushing.

Deploy tokens created under CI/CD setup is not sufficient for pushing the image to a Docker registry.

0
votes

It was previously a correct answer to say that the personal access token needs to include the api permission, and several answers on this page say exactly that.

Recently, GitLab appear to have improved the granularity of their permission system. So if you want to push container images to the GitLab Docker registry, you can create a token merely with the read_registry and write_registry permissions. This is likely to be a lot safer than giving full permissions.

I have tested this successfully today.

0
votes

I had the same issue.
In my case, the issue was I had AutoDevOps enabled before, which seem to generate a deploy token automatically. Now deploy tokens are just API keys basically for deployment. But GitLab has a special handling for gitlab-deploy-token which you can then access via $CI_DEPLOY_USER and $CI_DEPLOY_PASSWORD as a predefined variable.

However, I did not double-check the default token. In my case, it only had read_registry, of course though, it also needs write_registry permissions.

If you do this, then you can follow the official documentation.

Alternatively, you can apparently also switch to $CI_REGISTRY_USER and $CI_REGISTRY_PASSWORD, which are ephemeral, however.