Skip to content
Latchkey

CircleCI Docker Registry Login Fails in a Step - Fix Auth

A docker login or docker push step fails to authenticate to the registry. The credentials are missing, the context holding them is not attached, or the login method is wrong for ECR/GCR/GHCR - so the push is denied.

What this error means

A build step that logs in to a registry or pushes an image fails with "unauthorized" or "denied". Pulling a public base image works; authenticating to push is what fails, pointing at credentials, not the network.

job log
$ echo "$REGISTRY_PASSWORD" | docker login -u "$REGISTRY_USER" --password-stdin
Error: Cannot perform an interactive login from a non TTY device
# or
denied: requested access to the resource is denied

Common causes

Credentials missing or context not attached

The REGISTRY_USER/REGISTRY_PASSWORD (or a token) env vars are unset because the context that holds them was not attached to the job.

Wrong login method for the registry

ECR needs an aws ecr get-login-password token, GCR/Artifact Registry needs a service-account JSON or access token, GHCR needs a PAT/GITHUB_TOKEN. A plain user/password login fails for these.

Token scope or expiry

A token without push scope, or an expired short-lived token (common with ECR), is rejected at push time even if login appeared to succeed.

How to fix it

Authenticate with a non-interactive login

.circleci/config.yml
- run:
    name: Login and push
    command: |
      echo "$REGISTRY_PASSWORD" | docker login registry.example.com \
        -u "$REGISTRY_USER" --password-stdin
      docker push registry.example.com/org/app:latest

Use the registry’s own auth flow

  1. ECR: aws ecr get-login-password | docker login --password-stdin <acct>.dkr.ecr....
  2. GCR/Artifact Registry: authenticate with a service-account key or access token.
  3. GHCR: log in with a PAT that has write:packages scope.
  4. Store all secrets in an attached context, with push scope.

How to prevent it

  • Attach the context holding registry credentials to the pushing job.
  • Use the registry-native login flow (ECR/GCR/GHCR), not a generic password.
  • Scope tokens to push and refresh short-lived ones in the job.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →