Skip to content
Latchkey

Harbor "unauthorized: authentication required" on push in CI

The Harbor registry rejected the push because the client is not authenticated. docker login did not run, or the robot account name/secret is wrong or expired. Harbor requires auth even for pushes to public projects.

What this error means

docker push fails with "unauthorized: authentication required" or "denied: unauthorized to access repository". A prior docker login may have silently failed.

Docker
The push refers to repository [harbor.example.com/acme/app]
denied: unauthorized: authentication required

Common causes

No docker login before push

The job pushes without authenticating, so Harbor returns unauthorized.

A wrong or expired robot account secret

The robot account name (like robot$acme+ci) or its token is wrong or past its expiry, so login does not grant push.

How to fix it

Log in with the robot account

  1. Create a Harbor robot account scoped to the project with push permission.
  2. Run docker login with the robot name and token from CI secrets.
  3. Push after a successful login.
Terminal
echo "$HARBOR_ROBOT_TOKEN" | docker login harbor.example.com \
  -u 'robot$acme+ci' --password-stdin
docker push harbor.example.com/acme/app:1.0.0

Check the robot token expiry

Harbor robot tokens can expire; regenerate the robot account and update the secret if login stops working.

How to prevent it

  • Use a project-scoped robot account for CI pushes.
  • Set a long or no expiry and rotate the secret deliberately.
  • Fail the job if docker login returns non-zero before pushing.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →