Earthly registry push "denied" / authentication required in CI
When Earthly pushes an image, buildkitd authenticates to the target registry. If no credentials are configured for that registry, the push is rejected with "denied" or "authentication required".
What this error means
A SAVE IMAGE --push step fails with "failed to solve: ... denied: requested access to the resource is denied" or "authentication required" for the registry host.
+image | SAVE IMAGE --push registry.example.com/app:latest
Error: solve: failed to solve: failed to push registry.example.com/app:latest: denied: requested access to the resource is deniedCommon causes
No registry login before the push
buildkitd reads Docker credentials. Without a docker login (or equivalent config) for the target registry, the push is anonymous and denied.
A token without push scope
The credentials authenticate but lack write access to the repository, so the registry returns denied.
How to fix it
Log in before earthly --push
- Run
docker loginfor the target registry using a CI secret. - Invoke
earthly --pushso the push uses those credentials. - Confirm the token has write access for a persistent denied.
echo "$REGISTRY_TOKEN" | docker login registry.example.com -u ci --password-stdin
earthly --push +imageVerify push scope on the token
A denied that survives login means the credential lacks write scope. Grant push access to the repository.
How to prevent it
- Log in to the target registry before every push build.
- Store registry tokens as CI secrets, never in the Earthfile.
- Grant least-privilege write scope for the push repository.