Skip to content
Latchkey

Azure ACR "unauthorized: ... not authorized" on push in CI

ACR rejected the push because the identity is not authorized to write. Either no az acr login / token login ran, or the service principal/managed identity lacks the AcrPush role on the registry. Assign AcrPush and log in to the correct *.azurecr.io host.

What this error means

docker push to <registry>.azurecr.io fails with "unauthorized: <client> is not authorized to perform action" or "authentication required".

docker
denied: requested access to the resource is denied
unauthorized: authentication required

Common causes

The principal lacks the AcrPush role

The identity authenticated to Azure but has no push permission on the registry, so ACR denies the write.

No az acr login for this registry

Without az acr login --name <reg> (or a token login), the docker daemon has no ACR credentials for the push host.

How to fix it

Assign AcrPush and log in

  1. Assign the AcrPush role to the service principal or managed identity on the registry.
  2. Run az acr login --name <registry> (or docker/login-action with the SP).
  3. Push to <registry>.azurecr.io/<repo>.
Terminal
az role assignment create \
  --assignee <app-id> --scope <registry-resource-id> --role AcrPush
az acr login --name myregistry

Log in via docker/login-action with the SP

Use the service principal id/secret against the azurecr.io host when az CLI is not available.

.github/workflows/ci.yml
- uses: docker/login-action@v3
  with:
    registry: myregistry.azurecr.io
    username: ${{ secrets.ACR_CLIENT_ID }}
    password: ${{ secrets.ACR_CLIENT_SECRET }}

How to prevent it

  • Assign AcrPush (or AcrPull for pulls) to the CI identity.
  • Run az acr login for the exact registry before pushing.
  • Prefer managed identity or OIDC over static SP secrets.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →