Nexus Docker "unauthorized: access to the requested resource is not authorized" in CI
The Docker client authenticated against the wrong endpoint or Nexus could not issue a bearer token. Nexus Docker repos expose a dedicated HTTP connector port, and the Docker Bearer Token Realm must be active for docker login to work.
What this error means
docker push or pull fails with "unauthorized: access to the requested resource is not authorized" even though docker login reported success, or after logging in to the wrong port.
unauthorized: access to the requested resource is not authorized
# often after:
docker login nexus.example.com # (wrong: this is the UI port, not the docker connector)Common causes
Logging in to the UI port, not the Docker connector
Nexus serves the Docker registry on a repository connector port (for example 8082) or a path. Logging in to the main UI host/port does not grant the Docker registry a token.
Docker Bearer Token Realm not enabled
Nexus needs the "Docker Bearer Token Realm" active under Security, Realms for token-based docker auth; without it, docker login cannot obtain a usable token.
How to fix it
Log in to the Docker connector host:port
- Find the Docker repository connector port in Nexus (repository settings, HTTP connector).
- docker login to that host:port with the Nexus credentials from secrets.
- Tag and push using the same host:port.
echo "$NEXUS_PASSWORD" | docker login nexus.example.com:8082 \
-u "$NEXUS_USERNAME" --password-stdin
docker tag app nexus.example.com:8082/app:1.2.0
docker push nexus.example.com:8082/app:1.2.0Enable the Docker Bearer Token Realm
In Nexus, Security, Realms, add "Docker Bearer Token Realm" to the active realms so docker login can mint tokens.
How to prevent it
- Use the Docker connector port (not the UI port) for docker login/push.
- Keep the Docker Bearer Token Realm enabled.
- Store Nexus docker credentials as CI secrets.