What does docker:denied_requested_access mean?

Docker denied access because the repository path is wrong, the image is private, or the provided credentials do not have permission.

How do I prevent docker:denied_requested_access in CI?

Use scoped tokens for CI and rotate them regularly. Use a proxy or cache registry to minimize credential prompts across environments.

docker: denied_requested_access

Fix it fast

Most likely: The image reference points to the wrong registry, namespace, or repository, or the logged-in account/token does not have pull or push access to that exact repository.

1. Confirm this is your error

Error response from daemon: pull access denied for <image>, repository does not exist or may require "docker login": denied: requested access to the resource is denied
unauthorized: authentication required
unauthorized: incorrect username or password

2. Check the cause

docker logout <registry>
docker login <registry>
docker manifest inspect <registry>/<namespace>/<repository>:<tag>
docker image ls

3. Apply the safe fix

# Pull: use the exact registry host, namespace, repository, and tag from the registry UI.
docker pull <registry>/<namespace>/<repository>:<tag>

# Push: tag the image to the repository you actually have write access to.
docker tag <local-image>:<tag> <registry>/<namespace>/<repository>:<tag>
docker push <registry>/<namespace>/<repository>:<tag>

4. Verify it works

docker manifest inspect <registry>/<namespace>/<repository>:<tag>
docker pull <registry>/<namespace>/<repository>:<tag>

Don't use unsafe shortcuts

Do not log in to a different registry host than the one in the image reference.
Do not assume library/name and username/name are interchangeable on Docker Hub.
Do not print registry passwords or tokens in CI logs while debugging access.

What Access Failed

This is usually a target-and-identity problem, not a syntax problem. The request made it to the server, but the server did not like the credentials, permissions, or repository path attached to it.

Fix credentials and target access

Check the target and the credential together. Most of these fixes come down to using the right URL, account or token, and scope or repository permissions in the environment that actually failed.

Double-check the full image reference first, including registry host, namespace, and repository name.

Login to the exact registry host:docker login <registry>

If you are pushing, confirm the repository exists and that your token has write permission.

If you are pulling, confirm the image path is correct before treating it as an auth problem.

If this happens in CI, print the resolved image reference and verify the injected secrets are not empty.

Manual authentication checks

Compare the failing image reference with the repository path shown in your registry UI.

Check whether the repository is public, private, or missing entirely.

Validate which account or token the environment is actually using for the registry host.

Why It Happens

Usually this comes down to the repository or namespace in the image reference is wrong, the repository exists, but your account or token does not have pull or push permission, or the image is private and the request is effectively anonymous or authenticated as the wrong account.

Prove the Failing Environment Can Reach It

Retry the pull or push and confirm it succeeds, and run docker logout then docker login to validate credentials explicitly.

How registry authentication works

Docker authenticates to a registry host, then asks for manifests and layers for a specific repository path. If the path is wrong or the authenticated identity lacks access, the registry returns an authorization error.

Keep Credentials and Targets Aligned

To prevent this, use scoped tokens for CI and rotate them regularly, and use a proxy or cache registry to minimize credential prompts across environments.