Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Post History

60%
+1 −0
Q&A Docker push fails with message "denied: requested access to the resource is denied"

[2024-05-24: I originally wrote a similar answer in that other Q&A site] Summary: Check: Are you logged in? Look in ~/.docker/config.json for auths section The Auth token needs read_repos...

posted 6mo ago by milohax‭

Answer
#1: Initial revision by user avatar milohax‭ · 2024-05-24T12:00:03Z (6 months ago)
[2024-05-24: I originally wrote [a similar answer in that other Q&A site](https://stackoverflow.com/questions/66968701/error-response-from-daemon-pull-access-denied-for-registry-gitlab-com-repositor/73001820#73001820)]

## Summary:

Check:

1. Are you [logged in](https://docs.gitlab.com/ee/user/packages/container_registry/authenticate_with_container_registry.html)? Look in `~/.docker/config.json` for `auths` section
1. The Auth token needs `read_repository` _and_ `write_repository` scopes (OP's answer)
1. Check the [container registry visibility](https://docs.gitlab.com/ee/user/packages/container_registry/#change-visibility-of-the-container-registry). If the container is only visible to _Reporter_ or higher, then the user which made the token needs to have that [role](https://docs.gitlab.com/ee/user/permissions.html)
1. Does the _Project_ already exist on GitLab? _You can't push to arbitrary or new namespace_
1. Did you build / tag with the same name?

---

## Access Denied for GitLab Container Registry

The `access denied` can be because the [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) (PAT) which you are using does not have [access to the project for this container registry](https://docs.gitlab.com/ee/user/packages/container_registry/#authenticate-with-the-container-registry).

- The PAT must have `read_registry` [scope](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#personal-access-token-scopes) to be able to pull, and _also_ `write_registry` scope, if you want to push to the container registry
- The GitLab User who owns the PAT must have [permission](https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions) to access the GitLab Project which owns this container registry:
    - For a `docker push` to a Private project, you need at least _Developer_ access to that project
    - For `docker pull`, it is enough to be a _Guest_
    - If the container's visibility is **Only Project Members**, you need at least _Reporter_ access

You cannot use [deploy tokens](https://docs.gitlab.com/ee/user/project/deploy_tokens/index.html) with the public API. They are only useful for CI/CD jobs.

## Invalid tag name

Another reason for `access denied` can be if the project does not actually exist. You can't push to arbitrary namespaces in GitLab. For example, if the error says:

```text
access denied for registry.gitlab.com/milohax/backend
```

There is no "`backend`" project in `@milohax`'s namespace. This may not even be your namespace (since it's one of mine): http://gitlab.com/milohax

The container tag and the URL should match: for instance, you should probably be doing this, substituting your username or group name for `$GL_USER`, the project's namespace for `$GL_NAMESPACE`, and a name of the image for `$IMAGE` :

```shell
docker build -t registry.gitlab.com/$GL_USER/$GL_NAMESPACE/$IMAGE:1.0

docker push registry.gitlab.com/$GL_USER/$GL_NAMESPACE/$IMAGE:1.0
```