CircleCI Docker Registry Login Fails in a Step - Fix Auth
A docker login or docker push step fails to authenticate to the registry. The credentials are missing, the context holding them is not attached, or the login method is wrong for ECR/GCR/GHCR - so the push is denied.
What this error means
A build step that logs in to a registry or pushes an image fails with "unauthorized" or "denied". Pulling a public base image works; authenticating to push is what fails, pointing at credentials, not the network.
$ echo "$REGISTRY_PASSWORD" | docker login -u "$REGISTRY_USER" --password-stdin
Error: Cannot perform an interactive login from a non TTY device
# or
denied: requested access to the resource is deniedCommon causes
Credentials missing or context not attached
The REGISTRY_USER/REGISTRY_PASSWORD (or a token) env vars are unset because the context that holds them was not attached to the job.
Wrong login method for the registry
ECR needs an aws ecr get-login-password token, GCR/Artifact Registry needs a service-account JSON or access token, GHCR needs a PAT/GITHUB_TOKEN. A plain user/password login fails for these.
Token scope or expiry
A token without push scope, or an expired short-lived token (common with ECR), is rejected at push time even if login appeared to succeed.
How to fix it
Authenticate with a non-interactive login
- run:
name: Login and push
command: |
echo "$REGISTRY_PASSWORD" | docker login registry.example.com \
-u "$REGISTRY_USER" --password-stdin
docker push registry.example.com/org/app:latestUse the registry’s own auth flow
- ECR:
aws ecr get-login-password | docker login --password-stdin <acct>.dkr.ecr.... - GCR/Artifact Registry: authenticate with a service-account key or access token.
- GHCR: log in with a PAT that has
write:packagesscope. - Store all secrets in an attached context, with push scope.
How to prevent it
- Attach the context holding registry credentials to the pushing job.
- Use the registry-native login flow (ECR/GCR/GHCR), not a generic password.
- Scope tokens to push and refresh short-lived ones in the job.