Skip to content
Latchkey

Artifact Registry "denied: Permission artifactregistry.repositories.uploadArtifacts" in CI

docker push authenticated to Artifact Registry but the identity is not allowed to write to that repository. The push is rejected with uploadArtifacts denied; authentication succeeded, authorization did not.

What this error means

docker push to *-docker.pkg.dev fails with "denied: Permission 'artifactregistry.repositories.uploadArtifacts' denied on resource ...".

docker
denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource
"projects/my-project/locations/us-central1/repositories/app" (or it may not exist)

Common causes

The identity lacks the Artifact Registry Writer role

Pushing needs roles/artifactregistry.writer on the repository or project. A reader-only or unrelated role cannot upload artifacts.

Docker is not configured to auth to the registry host

Without gcloud auth configure-docker for the host, the push uses no valid credentials and is denied.

How to fix it

Grant the Writer role on the repository

  1. Bind roles/artifactregistry.writer to the CI service account on the repo or project.
  2. Configure Docker auth for the registry host.
  3. Retry the push.
Terminal
gcloud artifacts repositories add-iam-policy-binding app \
  --location us-central1 \
  --member="serviceAccount:ci@my-project.iam.gserviceaccount.com" \
  --role="roles/artifactregistry.writer"

Configure Docker for the registry host

Register the Artifact Registry host as a Docker credential helper before pushing.

Terminal
gcloud auth configure-docker us-central1-docker.pkg.dev

How to prevent it

  • Grant artifactregistry.writer to the push identity, reader to the pull identity.
  • Run gcloud auth configure-docker <host> before any push step.
  • Use Workload Identity Federation instead of long-lived keys for pushes.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →