Is the CI_JOB_TOKEN really not authorized to access the registry API?

Question

The Gitlab Documentation clearly says that CI_JOB_TOKEN is valid authorization for the container registry API. But why, then, does the following when run in an otherwise empty test pipeline yield a 403 forbidden?

curl --header  "JOB-TOKEN: $CI_JOB_TOKEN" $CI_API_V4_URL/projects/$CI_PROJECT_ID/registry/repositories/

Even if the JOB_TOKEN inherits permission from the author of the pipeline it should work, since the author (me) can access above API with my personal API token.

What am I missing? And what could I do to debug it?

score 3 · Answer 1 · answered Sep 13 '21 at 14:12

3

As of now, the Job Token really does not support these API calls. I just tripped over this as well.

Some people even use elaborate kludges to mitigate this.

answered Sep 13 '21 at 14:12

rabejens

7,594
11
56
104

1

Same problem here. I hoped to use `CI_JOB_TOKEN`, but I will need to use a project access token instead. – Marek Grzenkowicz Jan 20 '22 at 08:15

score 0 · Answer 2 · answered Jul 06 '23 at 11:29

0

Update 2023

As of Gitlab 15.3 (August 2022), this feature is now available.

Documentation:

answered Jul 06 '23 at 11:29

liakoyras

1,101
12
27

The thing that was missing for me was that the package registry did not have CI job tokens "enabled" (I think by default). This actually yielded a 404 when the runner tried to connect, which seems quite misleading to me. – nadlr Aug 25 '23 at 14:39

Is the CI_JOB_TOKEN really not authorized to access the registry API?

2 Answers2

Update 2023