Skip to content
Latchkey

Kaniko "error checking push permissions" in CI

Before building, Kaniko does a permission check against the destination so it fails fast rather than after a long build. If credentials are missing, wrong, or the host is unreachable, this pre-check fails.

What this error means

Kaniko aborts early with "error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again".

kaniko
error checking push permissions -- make sure you entered the correct tag name,
and that you are authenticated correctly, and try again: checking push permission
for "registry.example.com/app:latest": UNAUTHORIZED: authentication required

Common causes

Missing or wrong registry credentials

The permission probe uses the same /kaniko/.docker/config.json as the push. No valid auth for the destination host fails the check up front.

A malformed or unreachable destination

A wrong hostname, a typo in the tag, or a registry the runner cannot reach makes the pre-flight check fail.

How to fix it

Provide credentials before the executor runs

Write a valid Docker config so the pre-check authenticates, exactly as the push would.

Terminal
mkdir -p /kaniko/.docker
echo "{\"auths\":{\"registry.example.com\":{\"auth\":\"${AUTH_B64}\"}}}" \
  > /kaniko/.docker/config.json

Skip the check only when it is a false negative

If the destination is correct but the pre-check probe misbehaves (for example a registry that disallows the probe), you can defer it with --skip-push-permission-check, but fix real auth first.

Terminal
/kaniko/executor --skip-push-permission-check \
  --destination registry.example.com/app:latest

How to prevent it

  • Set up the Docker config before Kaniko runs so the pre-check passes.
  • Verify the --destination hostname and tag are correct.
  • Prefer failing fast on auth here over discovering it after a long build.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →