dockergitlabgitlab-ci

Can't push docker image to Gitlab registry from pipeline: "denied: access forbidden"


I'm using Gitlab (not self hosted) for CI/CD and fail to push a docker image to Gitlab's container registry from the pipeline. While logging in and building the image appear to work, pushing it produces an error: denied: access forbidden. I don't understand why the access is forbidden.

My .gitlab-ci.yml looks like this:

Deploy backend:
    before_script:
        - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    image: docker:latest
    script:
      - docker build -t registry.gitlab.com/profilename/projectname/backend .
      - docker push registry.gitlab.com/profilename/projectname/backend
    services:
      - docker:dind
    stage: deploy

This is the log from the job:

[0KRunning with gitlab-runner 15.9.0~beta.115.g598a7c91 (598a7c91)[0;m
[0K  on blue-5.shared.runners-manager.gitlab.com/default -AzERasQ, system ID: s_8a38c517a741[0;m
section_start:1676491269:prepare_executor
[0K[0K[36;1mPreparing the "docker+machine" executor[0;m[0;m
[0KUsing Docker executor with image docker:latest ...[0;m
[0KStarting service docker:dind ...[0;m
[0KPulling docker image docker:dind ...[0;m
[0KUsing docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:dind with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...[0;m
[0KWaiting for services to be up and running (timeout 30 seconds)...[0;m
[0KPulling docker image docker:latest ...[0;m
[0KUsing docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:latest with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...[0;m
section_end:1676491303:prepare_executor
[0Ksection_start:1676491303:prepare_script
[0K[0K[36;1mPreparing environment[0;m[0;m
Running on runner--azerasq-project-42230322-concurrent-0 via runner-azerasq-shared-1676491230-d30ae835...
section_end:1676491304:prepare_script
[0Ksection_start:1676491304:get_sources
[0K[0K[36;1mGetting source from Git repository[0;m[0;m
[32;1m$ eval "$CI_PRE_CLONE_SCRIPT"[0;m
[32;1mFetching changes with git depth set to 20...[0;m
Initialized empty Git repository in /builds/profilename/projectname/.git/
[32;1mCreated fresh repository.[0;m
[32;1mChecking out a693f85a as detached HEAD (ref is 1-remove-login-barrier)...[0;m

[32;1mSkipping Git submodules setup[0;m
section_end:1676491307:get_sources
[0Ksection_start:1676491307:download_artifacts
[0K[0K[36;1mDownloading artifacts[0;m[0;m
[32;1mDownloading artifacts for Build backend (3778290090)...[0;m
Downloading artifacts from coordinator... ok      [0;m  host[0;m=storage.googleapis.com id[0;m=3778290090 responseStatus[0;m=200 OK token[0;m=64_EXTxB
section_end:1676491309:download_artifacts
[0Ksection_start:1676491309:step_script
[0K[0K[36;1mExecuting "step_script" stage of the job script[0;m[0;m
[0KUsing docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:latest with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...[0;m
[32;1m$ docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY[0;m
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[32;1m$ docker build -t registry.gitlab.com/profilename/projectname/backend .[0;m
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 121B done
#1 DONE 0.0s

#2 [internal] load .dockerignore
#2 transferring context: 134B done
#2 DONE 0.0s

#3 [auth] library/golang:pull token for registry-1.docker.io
#3 DONE 0.0s

#4 [internal] load metadata for docker.io/library/golang:alpine
#4 DONE 0.5s

#5 [1/3] FROM docker.io/library/golang:alpine@sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a
#5 resolve docker.io/library/golang:alpine@sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a 0.0s done
#5 sha256:18da4399cedd9e383beb6b104d43aa1d48bd41167e312bb5306d72c51bd11548 1.16kB / 1.16kB done
#5 sha256:0b94e5e3eec1be96be80bab3ffc3186af109233342f79fb5051b45ba4beb6bd5 5.11kB / 5.11kB done
#5 sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c 3.37MB / 3.37MB 0.2s done
#5 sha256:a2d21d5440ebff5aaaaeb115a003f7a4a3897f1866a87de95bc4a21436fc563c 284.82kB / 284.82kB 0.1s done
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 0B / 100.63MB 0.2s
#5 sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a 1.65kB / 1.65kB done
#5 sha256:07244a03b3147bcdf5c1256e62110d50e31af7af76ef53aae3bcc9da8410dcdc 0B / 155B 0.2s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 5.24MB / 100.63MB 0.3s
#5 sha256:07244a03b3147bcdf5c1256e62110d50e31af7af76ef53aae3bcc9da8410dcdc 155B / 155B 0.3s done
#5 extracting sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 13.41MB / 100.63MB 0.4s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 19.92MB / 100.63MB 0.5s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 27.26MB / 100.63MB 0.6s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 47.19MB / 100.63MB 0.8s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 56.62MB / 100.63MB 0.9s
#5 ...

#6 [internal] load build context
#6 transferring context: 22.68MB 1.0s done
#6 DONE 1.1s

#5 [1/3] FROM docker.io/library/golang:alpine@sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 67.11MB / 100.63MB 1.0s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 73.40MB / 100.63MB 1.1s
#5 extracting sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c 0.9s done
#5 extracting sha256:a2d21d5440ebff5aaaaeb115a003f7a4a3897f1866a87de95bc4a21436fc563c
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 79.69MB / 100.63MB 1.2s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 98.57MB / 100.63MB 1.4s
#5 extracting sha256:a2d21d5440ebff5aaaaeb115a003f7a4a3897f1866a87de95bc4a21436fc563c 0.2s done
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 100.63MB / 100.63MB 2.1s done
#5 extracting sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d
#5 extracting sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 5.1s done
#5 extracting sha256:07244a03b3147bcdf5c1256e62110d50e31af7af76ef53aae3bcc9da8410dcdc
#5 extracting sha256:07244a03b3147bcdf5c1256e62110d50e31af7af76ef53aae3bcc9da8410dcdc done
#5 DONE 7.7s

#7 [2/3] COPY ./backend .
#7 DONE 2.3s

#8 [3/3] COPY ./.env .
#8 DONE 0.0s

#9 exporting to image
#9 exporting layers
#9 exporting layers 0.1s done
#9 writing image sha256:a68871721d60f549d798eeed6b0ee2cc341363fd92dc27b02226edb35715fdcd done
#9 naming to registry.gitlab.com/profilename/projectname/backend done
#9 DONE 0.1s
WARNING: buildx: git was not found in the system. Current commit information was not captured by the build
[32;1m$ docker push registry.gitlab.com/profilename/projectname/backend[0;m
Using default tag: latest
The push refers to repository [registry.gitlab.com/profilename/projectname/backend]
c7f4a40df92d: Preparing
ee97383dd371: Preparing
3ade35e5a1f0: Preparing
c6bcad44cf36: Preparing
d270ab11cf6e: Preparing
7cd52847ad77: Preparing
7cd52847ad77: Waiting
denied: access forbidden
section_end:1676491322:step_script
[0Ksection_start:1676491322:cleanup_file_variables
[0K[0K[36;1mCleaning up project directory and file based variables[0;m[0;m
section_end:1676491322:cleanup_file_variables
[0K[31;1mERROR: Job failed: exit code 1
[0;m

Building it locally and then uploading it to the Gitlab registry works perfectly. What am I missing here?


Solution

  • I went to Settings > CI/CD > Variables in Gitlab and deleted CI_REGISTRY_USER and CI_REGISTRY. The values of those variables looked ok to me, but apparently they get auto-populated if not defined with something else that works.