Docker "denied: requested access to the resource is denied" on Push
You are authenticated, but the account behind those credentials is not allowed to push to this specific repository. This is an authorization failure, not an authentication one.
What this error means
A docker push reaches the registry, the login succeeded, but the push is rejected with denied: requested access to the resource is denied. The same image pulls fine; only the write is blocked.
The push refers to repository [docker.io/otherorg/api]
denied: requested access to the resource is deniedCommon causes
Pushing to a namespace you do not own
The image is tagged for a repository under an account or org your credentials cannot write to - e.g. tagged otherorg/api while logged in as myorg. Docker Hub also rejects pushes to library/*.
The repository does not exist and auto-create is off
Some registries (and org policies) require the repository to be created first. Pushing to a non-existent repo under a namespace you do control still returns denied if auto-creation is disabled.
Token has read but not write permission
A read-only access token authenticates successfully but cannot push, producing a denial only on write operations.
How to fix it
Tag for a repository you can write to
Make the tag match the authenticated account or org namespace.
# tag under the namespace you own
docker tag api:latest docker.io/myorg/api:1.4.2
docker push docker.io/myorg/api:1.4.2Create the repository or enable auto-create
- For ECR, create the repository (or set
createRepositoryOnPush). - For GHCR/Docker Hub orgs, confirm the package/repo exists and the actor has write access.
- Use a token/role with push permission, not read-only.
How to prevent it
- Keep image tags aligned with the namespace your CI credentials own.
- Pre-create registry repositories as part of infrastructure, or enable auto-create.
- Audit token scopes so CI push credentials always include write.