拒绝：将图像推送到 gitlab 注册表时请求访问资源被拒绝

Question

I'm trying to push an image to gitlab registry.

I've done it many times, so I wonder why I get this error.

I build the image with latest tag:

Successfully tagged registry.gitlab.com/mycompany/rgpd_api:latest

Then I login and I push:

docker login registry.gitlab.com -u gitlab+deploy-token-91931 
docker push registry.gitlab.com/mycompany/rgpd_api:latest

But I get:

The push refers to repository [registry.gitlab.com/mycompany/rgpd_api]
be679cc302b9: Preparing 
denied: requested access to the resource is denied

I gave gitlab+deploy-token-91931 token both read_repository and read_registry rights.

My repo is:

https://gitlab.com/mycompany/rgpd_api

I checked with docs page:https://docs.gitlab.com/ee/user/project/container_registry.html

But when I do it through Gitlab CI, with gitlab-ci-token

I can push it normally.

I also tried to regenerate a new token, but still same issue.

How can I fix it?

Answer 1

I've stumbled upon this question as well and it turns out that

• Group level Deploy tokens can be used to push images to group level container registry similarly to a PAT token with API access or other applicable scopes.
• The image must to be tagged with the tag that matches an existing project within the group.
• Any image tagged differently will be rejected with the denied: requested access to the resource is denied error message.

So, with the setup below:

• GitLab group called mytest
• Project within that group called hello-world
• Docker image tagged as registry.gitlab.com/mytest/hello-world
• Deploy token created for an entire group
• Docker daemon authorized to push to that registry by cat "<deploy_token>" | docker login -u "<token_username>" --password-stdin registry.gitlab.com cat "<deploy_token>" | docker login -u "<token_username>" --password-stdin registry.gitlab.com

You will get the following results:

• Successful push for docker push registry.gitlab.com/mytest/hello-world because such project exists within the group
• denied: requested access to the resource is denied if you try to push an image tagged with the name of the project that does not exist in the group like docker push registry.gitlab.com/mytest/no-project

So, again, image must be tagged to match an existing path within te group, like an existing project within the group or a subgroup.

Answer 2

My error was to use a deploy token to push a image to a registry.

A deploy token can be used to pull an image, but not push it.

So, instead, you can generate a Personal Access Token. You should add at least permissions:

read_registry, write_registry

Answer 3

Make sure you have proper configuration in settings.

Go to Settings of project, then "Visibility, project features, permissions" and check "Container registry : Every project can have its own space to store its Docker images" (for members only or for everyone, up to you). Otherwise, the push and pull will be denied.

This happened to me and that's how I solved it.

Answer 4

you can make docker logout your registry and login again. It's recreate your token. this work in my case.