Skip to content
Latchkey

DVC "dvc push" failed in CI

dvc push uploads new cache objects to the remote, and the upload failed. The remote is reachable but the CI credentials lack write access, or none were provided, so files fail to upload.

What this error means

dvc push ends with "ERROR: failed to push data to the cloud - N files failed to upload", often with an AccessDenied or 403 on PutObject.

dvc
ERROR: failed to push data to the cloud - 2 files failed to upload

Common causes

The CI principal has no write permission

A read-only role can pull but not push; PutObject/upload is denied on the store prefix.

No credentials for the write step

The push step ran without the cloud credentials injected, so the upload was unauthenticated and rejected.

How to fix it

Grant write access to the store

Extend the CI role to allow writes on the DVC store prefix, then push.

IAM policy
{
  "Effect": "Allow",
  "Action": ["s3:PutObject", "s3:GetObject", "s3:ListBucket"],
  "Resource": ["arn:aws:s3:::my-bucket/dvcstore/*", "arn:aws:s3:::my-bucket"]
}

Provide credentials to the push step

  1. Inject write-capable credentials via secrets or OIDC.
  2. Run dvc push after producing new data.
  3. Confirm the uploads succeed.
.github/workflows/ci.yml
- name: Push data
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  run: dvc push

How to prevent it

  • Give push-capable jobs a write-scoped role on the store.
  • Keep read-only jobs read-only to limit blast radius.
  • Confirm pushes in a smoke test before relying on them.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →