unauthorized: authentication required

Login to the exact registry host shown in the image reference:docker login <registry>

If this happens in CI, print the registry host and confirm the secret variables are present before the login step.

If you use a cloud registry, fetch a fresh short-lived token and retry the login.

If credentials are stored locally, run docker logout <registry> and then log in again so Docker refreshes the stored credential.

You are not logged in to the target registry host.

CI did not inject the expected token or password into docker login.

The credential helper is not returning credentials for the registry you are talking to.

Retry the pull or push and confirm the registry no longer returns authentication required.

Run a simple authenticated operation against the same registry and repository path.

Print the exact registry host from the image reference.

Check ~/.docker/config.json and confirm the host is covered by either auths or your configured credential helper.

If CI is involved, confirm the login step actually ran before the failing pull or push.

Docker sends registry credentials based on the registry host in the image reference.

If no valid credentials are available for that host, the registry rejects the request before Docker can read manifests or layers.

Keep registry hostnames explicit in scripts instead of relying on ambiguous defaults.

Use automation tokens for CI and rotate them regularly.

Document which credential helper or secret source each environment uses.