Skip to content

Dependency proxy image pull failures for pipelines triggered by project access tokens

Summary

Pipelines triggered by project access token users on projects with dependency proxy are not able to access the image. Failures occur 100% of the time for builds that pull images from the dependency proxy: https://app.periscopedata.com/app/gitlab/893054/Jen-Shin-sandbox?widget=12202251&udv=0

Steps to reproduce

  1. Configure a project to use dependency proxy
  2. Trigger a pipeline in that project with a project_access_token user (like https://gitlab.com/project_278964_bot3)
  3. Observe jobs that pull images using the dependency proxy

Example Project

https://gitlab.com/gitlab-org/gitlab/ with https://gitlab.com/gitlab-org/gitlab/-/jobs/1307079015

What is the current bug behavior?

A ERROR: Preparation failed: failed to pull image "gitlab.com:443/gitlab-org/dependency_proxy/containers/ruby:2.7" with specified policies [always]: Error response from daemon: unauthorized: authentication required (manager.go:205:0s) error occurs on the builds like https://gitlab.com/gitlab-org/gitlab/-/jobs/1307079015

What is the expected correct behavior?

Image is able to be pulled

Relevant logs and/or screenshots

https://gitlab.com/gitlab-org/gitlab/-/jobs/1307079015

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

This happens on GitLab.com

Results of GitLab application Check

This happens on GitLab.com

Possible fixes

  • Fix the authentication issue. There is an MR in progress: !128583 (merged)
  • Change authorization to give the project access token access to dependency proxy. The fix is likely a change in GroupPolicy here
  • Suggest that Project Access Token users are not used to trigger pipelines where dependency proxy is used if this is desired behavior

NOTE: To make project access tokens work, both the authentication and the authorization issues need to be addressed.

Workaround

Dependency proxy for Project access token users should not be used to trigger pipelines where dependency proxy is used. You could override it similar to !100912 (diffs)

Edited by Radamanthus Batnag