Skip to content
Latchkey

GitLab CI "image pull access denied" From the Registry

The runner could not pull the job image because the registry denied access. The image is private and no valid credentials reached the runner, or the path is wrong.

What this error means

The job fails during preparation while pulling the image: with "pull access denied" or "denied: requested access to the resource is denied". The script never runs because there is no container.

gitlab-ci
ERROR: Job failed: failed to pull image "registry.example.com/app:1.4"
with specified policies [always]: Error response from daemon:
pull access denied, repository does not exist or may require authorization

Common causes

Private registry without credentials

Pulling a private image needs auth. Without DOCKER_AUTH_CONFIG or a CI job-token login, the runner pulls anonymously and is denied.

Wrong repository path or insufficient scope

A misspelled repository, or a token lacking read-registry scope for that project, produces an access-denied response identical to a missing-image error.

How to fix it

Provide DOCKER_AUTH_CONFIG for the job image

For image: pulls (before your script), set the DOCKER_AUTH_CONFIG CI/CD variable so the runner authenticates ahead of preparation.

CI/CD variable
# DOCKER_AUTH_CONFIG (CI/CD variable), masked:
{
  "auths": {
    "registry.example.com": {
      "auth": "BASE64_OF_user:token"
    }
  }
}

Use the GitLab Container Registry token in-script

For images pulled inside the script, log in with the CI job token.

Job script
docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"

How to prevent it

  • Set DOCKER_AUTH_CONFIG for any private job image.
  • Grant the pipeline token read access to the registry project.
  • Verify the image path and tag exist before merging.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →