The 'denied: requested access to the resource is denied' error occurs when Docker cannot authenticate or authorize access to a container registry. This typically happens when pushing images without proper tagging, missing authentication, or insufficient permissions on the target repository.
This error appears when Docker attempts to access a container registry (such as Docker Hub, GitHub Container Registry, or Amazon ECR) but the request is rejected due to authentication or authorization issues. The registry is essentially saying "I do not recognize you as someone who has permission to access this resource." This can happen during both push and pull operations, though it is most commonly encountered when pushing images. There are three main categories of causes: 1. **Authentication issues** - You are not logged in, your session has expired, or your credentials are corrupted 2. **Authorization issues** - You are logged in but do not have permission to access the specific repository 3. **Naming issues** - The image is not tagged correctly to match your account or the repository does not exist
The most common cause is an incorrectly tagged image. Docker Hub requires images to follow the format username/image:tag.
# Check your current image tags
docker images
# If your image is tagged as 'myapp:latest' without a username, retag it:
docker tag myapp:latest YOUR_DOCKERHUB_USERNAME/myapp:latest
# Verify the new tag
docker images | grep myappReplace YOUR_DOCKERHUB_USERNAME with your actual Docker Hub username. Find your username at [hub.docker.com](https://hub.docker.com) after logging in.
Ensure you are authenticated with Docker Hub:
# Log in interactively
docker login
# For CI/CD, use stdin to avoid exposing credentials
echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdinAfter successful login, you should see "Login Succeeded". Credentials are stored in ~/.docker/config.json.
If login appears successful but push still fails, your cached credentials may be corrupted:
# Log out from Docker Hub
docker logout
# Remove cached credentials
rm ~/.docker/config.json
# Log in again
docker loginOn Windows, the config file is at C:\Users\<username>\.docker\config.json. On macOS, credentials may also be stored in Keychain.
Docker Hub requires email verification before you can push images:
1. Go to [hub.docker.com](https://hub.docker.com) and log in
2. Click on your profile icon and select "Account Settings"
3. Check if your email is verified
4. If not, click "Resend verification email"
5. Click the link in the verification email
6. Retry your docker push command
If pushing to an organization repository, verify you have push access:
1. Go to the repository page on Docker Hub
2. Click "Settings" then "Permissions"
3. Verify your account has "Write" or "Admin" access
4. If not, ask the organization owner to grant access
For your own repositories, ensure the repository name matches your username exactly (case-sensitive).
After fixing the authentication and tagging, push your image:
# Push to Docker Hub
docker push YOUR_DOCKERHUB_USERNAME/myapp:latest
# For organizations
docker push YOUR_ORG_NAME/myapp:latestYou should see layer upload progress. If it fails immediately, check the error message for clues.
### Private Registry Authentication
For private registries (not Docker Hub), include the registry URL in both login and tag:
# Log in to private registry
docker login registry.example.com
# Tag with registry URL
docker tag myapp:latest registry.example.com/myapp:latest
# Push
docker push registry.example.com/myapp:latest### GitHub Container Registry (GHCR)
GHCR requires a Personal Access Token (PAT) with write:packages scope:
echo $GITHUB_PAT | docker login ghcr.io -u USERNAME --password-stdin
docker tag myapp:latest ghcr.io/USERNAME/myapp:latest
docker push ghcr.io/USERNAME/myapp:latest### Amazon ECR
Authenticate using AWS CLI:
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin \
123456789012.dkr.ecr.us-east-1.amazonaws.com### Sudo Credential Scope
Credentials are stored per-user. Using sudo changes which credentials Docker uses:
# Regular user credentials
docker login # Stores in ~/.docker/config.json
docker push myimage # Uses ~/.docker/config.json
# Root credentials
sudo docker login # Stores in /root/.docker/config.json
sudo docker push # Uses /root/.docker/config.jsonBe consistent: if you use sudo docker push, you must also use sudo docker login.
### Docker Hub Rate Limits and Repository Limits
Free Docker Hub accounts have limits:
- Private repositories: Limited to 1 (as of 2023)
- Pull rate limits: 100 pulls per 6 hours for anonymous, 200 for authenticated
If you exceed private repo limits, pushes may fail with access denied. Check your limits at hub.docker.com account settings.
### CI/CD Best Practices
For CI/CD pipelines:
# GitHub Actions example
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}Use Docker Hub Access Tokens instead of passwords for better security and easier revocation.
image operating system "linux" cannot be used on this platform
How to fix 'image operating system linux cannot be used on this platform' in Docker
manifest unknown: manifest unknown
How to fix 'manifest unknown' in Docker
cannot open '/etc/passwd': Permission denied
How to fix 'cannot open: Permission denied' in Docker
Error response from daemon: failed to create the ipvlan port
How to fix 'failed to create the ipvlan port' in Docker
toomanyrequests: Rate exceeded for anonymous users
How to fix 'Rate exceeded for anonymous users' in Docker Hub