GitLab CI: Using a private project's container as an image
In GitLab, if you have a Container Registry set up for a private project (“Project A”), and you wish to use one of those containers in the image:
field of .gitlab-ci.yml
in another project (“Project B”), e.g.:
Then you may get a Failed to pull image
error like the following:
The problem is that the GitLab Runner for Project B does not have permission to access Project A’s Container Registry, even if both projects are part of the same group.
You can fix this by using the DOCKER_AUTH_CONFIG
variable to grant Project B’s GitLab Runner permission to pull from Project A’s Container Registry.
If you want to pull the image from within the container, for example, to use it in the FROM <image>
line of a Dockerfile
, then you will need to follow these steps instead. This is because the use of DOCKER_AUTH_CONFIG
only grants access to the GitLab Runner, allowing it to fetch the image and launch it as a container; it does not grant access for anything running inside the container!
To set up the DOCKER_AUTH_CONFIG
variable, follow these steps:
- On Project A (the one with the Container Registry), go to Settings > Access Tokens.
- Choose a token name, e.g.
ci_pull_containers
. - Set role to “Developer”.
- Check the box for
read_registry
. - Click “Create project access token”:
- Generate a base64 string using these commands:
- Copy and paste the base64 string into this JSON, and replace
your.gitlab.address.com:5000
with the URL and port to your GitLab instance:
- On Project B (the one wanting to access Projet A’s Container Registry), go to Settings > CI/CD > Variables.
- Click Add variable to open up a modal.
- Set the key as
DOCKER_AUTH_CONFIG
. - Paste the JSON into the value field:
- Click Add variable to save the new variable.
- That’s it! CI jobs run on Project B will now automatically use
DOCKER_AUTH_CONFIG
, allowing them to pull images from Project A’s Container Registry. In the GitLab CI log, this should now look like:
- Note that when the token expires you will need to create a new one and update
DOCKER_AUTH_CONFIG
.