Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
Docker push fails with message "denied: requested access to the resource is denied"
Recently I had to push a new Docker image to our GitLab registry.
- I have the Maintainer role on that project.
- I had created a new token and used it to log in to Docker.
However, when trying to build and push the image, I got the error message
denied: requested access to the resource is denied
The output looked as follows:
The push refers to repository [registry.gitlab.com/.../...]
ae17b0564d98: Preparing
9ef3e4c4bfdc: Preparing
4504b43db9b6: Preparing
108bb35b89d0: Preparing
793f447bc25b: Preparing
397bd9b6f39e: Waiting
290cec21aafb: Waiting
e7f8b07649a4: Waiting
109e67eff29c: Waiting
556c5fb0d91b: Waiting
denied: requested access to the resource is denied
Why can't I push my new Docker image to the GitLab registry?
(I've found that there are many possible reasons for this error. I've found the solution for my case and will add it as an answer. If you have a different solution, please add it as an answer for future visitors!)
2 answers
The following users marked this post as Works for me:
User | Comment | Date |
---|---|---|
milohax | (no comment) | May 24, 2024 at 12:00 |
FractionalRadix | (no comment) | May 24, 2024 at 12:39 |
[2024-05-24: I originally wrote a similar answer in that other Q&A site]
Summary:
Check:
- Are you logged in? Look in
~/.docker/config.json
forauths
section - The Auth token needs
read_repository
andwrite_repository
scopes (OP's answer) - Check the container registry visibility. If the container is only visible to Reporter or higher, then the user which made the token needs to have that role
- Does the Project already exist on GitLab? You can't push to arbitrary or new namespace
- Did you build / tag with the same name?
Access Denied for GitLab Container Registry
The access denied
can be because the personal access token (PAT) which you are using does not have access to the project for this container registry.
- The PAT must have
read_registry
scope to be able to pull, and alsowrite_registry
scope, if you want to push to the container registry - The GitLab User who owns the PAT must have permission to access the GitLab Project which owns this container registry:
- For a
docker push
to a Private project, you need at least Developer access to that project - For
docker pull
, it is enough to be a Guest - If the container's visibility is Only Project Members, you need at least Reporter access
- For a
You cannot use deploy tokens with the public API. They are only useful for CI/CD jobs.
Invalid tag name
Another reason for access denied
can be if the project does not actually exist. You can't push to arbitrary namespaces in GitLab. For example, if the error says:
access denied for registry.gitlab.com/milohax/backend
There is no "backend
" project in @milohax
's namespace. This may not even be your namespace (since it's one of mine): http://gitlab.com/milohax
The container tag and the URL should match: for instance, you should probably be doing this, substituting your username or group name for $GL_USER
, the project's namespace for $GL_NAMESPACE
, and a name of the image for $IMAGE
:
docker build -t registry.gitlab.com/$GL_USER/$GL_NAMESPACE/$IMAGE:1.0
docker push registry.gitlab.com/$GL_USER/$GL_NAMESPACE/$IMAGE:1.0
1 comment thread
The following users marked this post as Works for me:
User | Comment | Date |
---|---|---|
FractionalRadix | (no comment) | May 14, 2024 at 12:05 |
There are many reasons why this error may occur.
In my case, my new token had the read_registry
scope but not the write_registry
scope.
I created a new token that had the read_registry
and write_registry
scopes. I then logged out of Docker, and logged in again using the new token.
After that I was able to push the new image successfully.
I found this solution on that other Q&A site.
0 comment threads