Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
Post History
[2024-05-24: I originally wrote a similar answer in that other Q&A site] Summary: Check: Are you logged in? Look in ~/.docker/config.json for auths section The Auth token needs read_repos...
Answer
#1: Initial revision
by
milohax
·
2024-05-24T12:00:03Z (6 months ago)
[2024-05-24: I originally wrote [a similar answer in that other Q&A site](https://stackoverflow.com/questions/66968701/error-response-from-daemon-pull-access-denied-for-registry-gitlab-com-repositor/73001820#73001820)]
## Summary:
Check:
1. Are you [logged in](https://docs.gitlab.com/ee/user/packages/container_registry/authenticate_with_container_registry.html)? Look in `~/.docker/config.json` for `auths` section
1. The Auth token needs `read_repository` _and_ `write_repository` scopes (OP's answer)
1. Check the [container registry visibility](https://docs.gitlab.com/ee/user/packages/container_registry/#change-visibility-of-the-container-registry). If the container is only visible to _Reporter_ or higher, then the user which made the token needs to have that [role](https://docs.gitlab.com/ee/user/permissions.html)
1. Does the _Project_ already exist on GitLab? _You can't push to arbitrary or new namespace_
1. Did you build / tag with the same name?
---
## Access Denied for GitLab Container Registry
The `access denied` can be because the [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) (PAT) which you are using does not have [access to the project for this container registry](https://docs.gitlab.com/ee/user/packages/container_registry/#authenticate-with-the-container-registry).
- The PAT must have `read_registry` [scope](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#personal-access-token-scopes) to be able to pull, and _also_ `write_registry` scope, if you want to push to the container registry
- The GitLab User who owns the PAT must have [permission](https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions) to access the GitLab Project which owns this container registry:
- For a `docker push` to a Private project, you need at least _Developer_ access to that project
- For `docker pull`, it is enough to be a _Guest_
- If the container's visibility is **Only Project Members**, you need at least _Reporter_ access
You cannot use [deploy tokens](https://docs.gitlab.com/ee/user/project/deploy_tokens/index.html) with the public API. They are only useful for CI/CD jobs.
## Invalid tag name
Another reason for `access denied` can be if the project does not actually exist. You can't push to arbitrary namespaces in GitLab. For example, if the error says:
```text
access denied for registry.gitlab.com/milohax/backend
```
There is no "`backend`" project in `@milohax`'s namespace. This may not even be your namespace (since it's one of mine): http://gitlab.com/milohax
The container tag and the URL should match: for instance, you should probably be doing this, substituting your username or group name for `$GL_USER`, the project's namespace for `$GL_NAMESPACE`, and a name of the image for `$IMAGE` :
```shell
docker build -t registry.gitlab.com/$GL_USER/$GL_NAMESPACE/$IMAGE:1.0
docker push registry.gitlab.com/$GL_USER/$GL_NAMESPACE/$IMAGE:1.0
```