Docker Hub "denied: requested access to the resource is denied" on push in CI
The push reached Docker Hub but the registry rejected it: either no credentials were sent, or the authenticated account does not own (or have write rights to) the namespace/repo you tagged. The repository name decides the namespace, so a wrong username is the usual cause.
What this error means
docker push to Docker Hub fails with "denied: requested access to the resource is denied" after the layers upload, even when docker login appeared to succeed.
The push refers to repository [docker.io/myuser/app]
denied: requested access to the resource is deniedCommon causes
The job is not logged in to Docker Hub
No docker login ran in this job (or it ran in a different step/shell), so the push is anonymous and Docker Hub denies write access.
The tag points at a namespace you cannot write to
The image is tagged docker.io/otheruser/app or an org you lack push rights to. Docker Hub derives the namespace from the repository name, so a wrong username yields denied.
How to fix it
Log in with a token, then tag to your own namespace
- Create a Docker Hub access token and store it as a secret.
- Run docker/login-action before the push.
- Tag the image as
your-username/repo(ororg/repoyou can write to).
- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- run: |
docker tag app ${{ secrets.DOCKERHUB_USERNAME }}/app:latest
docker push ${{ secrets.DOCKERHUB_USERNAME }}/app:latestGrant the token write scope for an org repo
For an organization repository, confirm the token owner is a team member with Read & Write access to that repo, not just Read.
How to prevent it
- Always run docker/login-action in the same job before pushing.
- Tag images to a namespace the authenticated account owns.
- Use access tokens, not account passwords, scoped to the repos you push.