GitLab CI "image pull access denied" From the Registry
The runner could not pull the job image because the registry denied access. The image is private and no valid credentials reached the runner, or the path is wrong.
What this error means
The job fails during preparation while pulling the image: with "pull access denied" or "denied: requested access to the resource is denied". The script never runs because there is no container.
ERROR: Job failed: failed to pull image "registry.example.com/app:1.4"
with specified policies [always]: Error response from daemon:
pull access denied, repository does not exist or may require authorizationCommon causes
Private registry without credentials
Pulling a private image needs auth. Without DOCKER_AUTH_CONFIG or a CI job-token login, the runner pulls anonymously and is denied.
Wrong repository path or insufficient scope
A misspelled repository, or a token lacking read-registry scope for that project, produces an access-denied response identical to a missing-image error.
How to fix it
Provide DOCKER_AUTH_CONFIG for the job image
For image: pulls (before your script), set the DOCKER_AUTH_CONFIG CI/CD variable so the runner authenticates ahead of preparation.
# DOCKER_AUTH_CONFIG (CI/CD variable), masked:
{
"auths": {
"registry.example.com": {
"auth": "BASE64_OF_user:token"
}
}
}Use the GitLab Container Registry token in-script
For images pulled inside the script, log in with the CI job token.
docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"How to prevent it
- Set
DOCKER_AUTH_CONFIGfor any private job image. - Grant the pipeline token read access to the registry project.
- Verify the image path and tag exist before merging.