Why am I getting errors about insufficient scope in Container Registry?

You have a valid IAM API key or OAuth token, but you still get Access denied errors about insufficient scope in IBM Cloud® Container Registry.

When you try to access Container Registry, you get the following message:

Insufficient scope

You might see this message if you are trying to access Container Registry by using a client such as Docker. The following alternatives are possible causes:

• Scenario A. The API key that is used to access Container Registry has insufficient permissions.
• Scenario B. Context-based restriction rules are in place.

You can fix this problem in the following ways:

• Scenario A. Confirm that the API key that you are using has suitable permissions for the resource that you are trying to access. Contact the owner of the resource for help. For more information, see Managing IAM access.

• Scenario B. Check whether context-based restriction rules are in place. If so, these rules prevent you from accessing resources outside the defined allowed contexts. Adjust the allowed context or rerun your pull from within an allowed context. For more information, see Protecting Container Registry resources with context-based restrictions.

  To confirm whether a context-based restriction rule caused the Access denied error, check IBM Cloud Activity Tracker or IBM Cloud Logs for the resource that is being accessed. For more information, see Monitoring context-based restrictions.

  As of 28 March 2024, the IBM Cloud Activity Tracker service is deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Cloud Activity Tracker along with IBM Cloud Logs. Activity tracking events are the same for both services. For more information about migrating from IBM Cloud Activity Tracker to IBM Cloud Logs and running the services in parallel, see migration planning.