What Access Failed
Docker login failed because the registry rejected the username or password, so the stored credentials or access token are wrong.
This is usually a target-and-identity problem, not a syntax problem. The request made it to the server, but the server did not like the credentials, permissions, or repository path attached to it.
Fix credentials and target access
Clear the bad credential first:docker logout <registry>
Log in again with the correct username and a current password or access token.
If you use a credential helper or OS keychain, remove the stale entry there as well before retrying.
If this fails in CI only, rotate the secret and verify the job is using the updated value.
Manual authentication checks
Check whether Docker is pulling credentials from a keychain helper instead of plain auths in ~/.docker/config.json.
Verify the registry username matches the account that owns or can access the repository.
If the secret was rotated recently, confirm the old value is not still cached in CI.
Why It Happens
Usually this comes down to the username, password, or access token is wrong, a credential helper returned stale credentials after the token was rotated, or CI is using the wrong secret or the wrong account for the target registry.
Prove the Failing Environment Can Reach It
Retry the same pull or push and confirm the incorrect-password error is gone, and perform a fresh docker login <registry> and confirm it succeeds without reusing cached credentials.
How registry authentication works
Docker attaches stored credentials for the target registry host when it authenticates. If those credentials are stale or wrong, the registry rejects the login or repository request immediately.
Examples
unauthorized: incorrect username or passwordKeep Credentials and Targets Aligned
To prevent this, prefer scoped tokens over long-lived passwords for automation, rotate registry tokens on a schedule and update all consuming jobs together, and avoid sharing one mutable credential across unrelated environments.