Why am I getting errors about insufficient scope in Container Registry?

You have a valid IAM API key or OAuth token, but you still get Access denied errors about insufficient scope in IBM Cloud® Container Registry.

When you try to access Container Registry, you get the following message:

Insufficient scope

You might see this message if you are trying to access Container Registry by using a client such as Docker. The following alternatives are possible causes:

• Scenario A. The API key that is used to access Container Registry has insufficient permissions.
• Scenario B. Context-based restriction rules are in place.

You can fix this problem in the following ways:

• Scenario A. Confirm that the API key that you are using has suitable permissions for the resource that you are trying to access. Contact the owner of the resource for help. For more information, see Managing IAM access.

• Scenario B. Check whether context-based restriction rules are in place. If so, these rules prevent you from accessing resources outside the defined allowed contexts. Adjust the allowed context or rerun your pull from within an allowed context. For more information, see Protecting Container Registry resources with context-based restrictions.

  To confirm whether a context-based restriction rule caused the Access denied error, check IBM Cloud Activity Tracker for the resource that is being accessed. For more information, see Monitoring context-based restrictions.