Azure ACR "unauthorized: ... not authorized" on push in CI
ACR rejected the push because the identity is not authorized to write. Either no az acr login / token login ran, or the service principal/managed identity lacks the AcrPush role on the registry. Assign AcrPush and log in to the correct *.azurecr.io host.
What this error means
docker push to <registry>.azurecr.io fails with "unauthorized: <client> is not authorized to perform action" or "authentication required".
denied: requested access to the resource is denied
unauthorized: authentication requiredCommon causes
The principal lacks the AcrPush role
The identity authenticated to Azure but has no push permission on the registry, so ACR denies the write.
No az acr login for this registry
Without az acr login --name <reg> (or a token login), the docker daemon has no ACR credentials for the push host.
How to fix it
Assign AcrPush and log in
- Assign the AcrPush role to the service principal or managed identity on the registry.
- Run
az acr login --name <registry>(or docker/login-action with the SP). - Push to
<registry>.azurecr.io/<repo>.
az role assignment create \
--assignee <app-id> --scope <registry-resource-id> --role AcrPush
az acr login --name myregistryLog in via docker/login-action with the SP
Use the service principal id/secret against the azurecr.io host when az CLI is not available.
- uses: docker/login-action@v3
with:
registry: myregistry.azurecr.io
username: ${{ secrets.ACR_CLIENT_ID }}
password: ${{ secrets.ACR_CLIENT_SECRET }}How to prevent it
- Assign AcrPush (or AcrPull for pulls) to the CI identity.
- Run az acr login for the exact registry before pushing.
- Prefer managed identity or OIDC over static SP secrets.