Skip to content
Latchkey

Earthly registry push "denied" / authentication required in CI

When Earthly pushes an image, buildkitd authenticates to the target registry. If no credentials are configured for that registry, the push is rejected with "denied" or "authentication required".

What this error means

A SAVE IMAGE --push step fails with "failed to solve: ... denied: requested access to the resource is denied" or "authentication required" for the registry host.

earthly
+image | SAVE IMAGE --push registry.example.com/app:latest
Error: solve: failed to solve: failed to push registry.example.com/app:latest: denied: requested access to the resource is denied

Common causes

No registry login before the push

buildkitd reads Docker credentials. Without a docker login (or equivalent config) for the target registry, the push is anonymous and denied.

A token without push scope

The credentials authenticate but lack write access to the repository, so the registry returns denied.

How to fix it

Log in before earthly --push

  1. Run docker login for the target registry using a CI secret.
  2. Invoke earthly --push so the push uses those credentials.
  3. Confirm the token has write access for a persistent denied.
Terminal
echo "$REGISTRY_TOKEN" | docker login registry.example.com -u ci --password-stdin
earthly --push +image

Verify push scope on the token

A denied that survives login means the credential lacks write scope. Grant push access to the repository.

How to prevent it

  • Log in to the target registry before every push build.
  • Store registry tokens as CI secrets, never in the Earthfile.
  • Grant least-privilege write scope for the push repository.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →