Docker push "denied: requested access to the resource is denied" - docker

I'm on Ubuntu Linux Server 20.04 and this is my first time pushing something to Docker so I just created a dummy container locally and it worked. Following some tutorials online, the hello-world example also works just fine.
Here's what I've tried:
I create a repo online
I've tried all of this for both public and private repos.
I just have a stardard account, this is not an organization.
docker login (Which succeeds)
I've also tried docker login -u <username>
I've tried with and without the pass program (Both succeed in logging in)
To make sure it's not reporting a false"success" message I tried using an incorrect password and it failed accordingly so the login appears to work.
docker tag <local repo name>:latest <username>/<online repo name>:v1
I've tried a myriad of other ways such as the following but they all produce the same error
docker tag <local repo name>:latest <username>/<repo name>:latest
docker tag <local repo name> <username>/<repo name>:latest
docker tag <local repo name>:latest <username>/<repo name>:v1
docker tag <local repo name> <username>/<repo name>:v1
docker tag <local repo name>:latest <username>/<repo name>
docker tag <local repo name> <username>/<repo name>
docker push <username>/<online repo name>:v1
I've also tried docker push <username>/<online repo name>
This is the output
The push refers to repository [docker.io/<username>/<online repo name>]
3c8373fcfed2: Preparing
dc881c014b38: Preparing
933337b6e971: Preparing
10e1cb1c03c2: Preparing
770786057cc0: Preparing
570175f149e2: Waiting
3e207b409db3: Waiting
denied: requested access to the resource is denied
At this point I've just given up, I don't understand why it's being denied and not pushing but I've gone through 2 Google pages of links trying to research this spanning 2 days so I don't know what else to do.

In attempt to not store my docker password unencrypted I'm using the recommended pass program on the Docker website. If I give up and just allow my password to be unencrypted it works. This is an issue with pass or Docker's communication with pass. I'm not happy about having to have my password unencrypted but it's either that or I can't push to Docker Hub.
There are 4 solutions for not storing your password unencrypted and the only one for Linux servers is pass.

Related

Docker push to private registry error [denied: requested access to the resource is denied]

I login like this:
PS C:\workl> docker login some-registry.io -u username#corp.company.com -p somePasswrod
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
When I run docker images I get this
CREATED = user/custom-images
tag 1
imageID=34e982156f
I then try to push
docker push user/custom-image:1
The push refers to repository [docker.io/library/custom-image]
50c2af6d2450: Preparing
862d28b9e0d9: Preparing
...
...
878dab86cf0f: Waiting
denied: requested access to the resource is denied
Why? I am adding a tag and have seen others online similar to this but don't seem to be able to find a solution. I can pull just fine.
you need to follow this steps to push to a container :
1/ create a repository inside docker hub https://hub.docker.com/repositories :
just click on create a new repository.
2/ tagging your local image:
docker tag /
the repo_name is the one you created in step 1
3/ commit the image :
docker commit <existing-container> <hub-user>/<repo-name>
4/ and finnaly push it :
docker push <hub-user>/<repo-name>
As #altvits said,
If you want to push to some-registry.io you need to tag it like
docker image tag image:tag some-registry.io/path/image:tag and push it as docker image push some-registry.io/path/image:tag.
Without tagging the push will attempt to push to the default location which in your case is docker.io

Can I pull from private images Docker hub free private repo?

I am trying to pull my private images from Docker hub free private repo.
Here is what I have done.
Verify that myrepo/myimage exists in Docker Hub as private image.
Run the following
$ docker login docker.io -u myusername
Password:
WARNING! Your password will be stored unencrypted in /home/sha/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker push myusername/xxx-test:latest
The push refers to repository [docker.io/myusername/xxx-test]
e836ed963202: Pushed
24769bc5b044: Pushed
75b121557396: Pushed
4075573f4aa9: Pushed
fa6f238ab393: Mounted from myusername/multi-worker
d6100d978ba2: Mounted from myusername/multi-worker
88b43919be61: Mounted from myusername/multi-worker
0fcbbeeeb0d7: Mounted from myusername/multi-worker
latest: digest: sha256:985d3ed5e09915d5c84431243d511798ac4219a69ca3e73c6514dcb903b32853 size: 1990
$ docker pull myusername/xxx-test:latest
Error response from daemon: pull access denied for myusername/xxx-test, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Howver, Docker hub showed it had been pulled.
I have searched SO and googled on the same topic and tried all their suggestions. Nothing worked so far. It will work only if I go to the image settings an make it public.
Any input?
Update
Following the login command I immediately did a push, which was successful.
Then immediately did a pull for the same image, which failed.

gitlab CE docker push to registry hosted in s3 fails with "denied: access forbidden"

In gitlab CE docker push to registry hosted in s3 fails with "denied: access forbidden"
Here is a sample of my gitlab-ci.yml file:
before_script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN gitlab.domain.net (successful)
Build:
stage: build
script:
- docker build --pull -t $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME . (successful)
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME (FAILS)
Result: Fails during the push.
The push refers to repository [gitlab.domain.net:6565/sfloyd/myapp]
7f44c19d438d: Preparing
26472437084c: Preparing
2de391e51d73: Preparing
d73dd9e65295: Preparing
686245e78935: Preparing
d7ff1dc646ba: Preparing
644879075e24: Preparing
d7ff1dc646ba: Waiting
644879075e24: Waiting
denied: access forbidden
ERROR: Job failed: exit code 1
I have tried not using S3 and having the registry store the images on the gitlab server itself and that fails with the same result. I even set the S3 bucket open to the world for read and write as a test and that also failed.
The CI_JOB_TOKEN was given "read_registry" access just like the Gitlab documentation states...although I feel like it should have write as well but its not an option.
I have swapped out the username to log in with, with the username of the token and it fails with the same result.
I created an access token for my admin user giving it API access and that fails.
Interestingly if i use my admin user and the access token with API access it works LOCALLY but not when I put those same values in the gitlab-ci.yml file.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
gitlab.domain.net:6565/sfloyd/myapp master b03b47a5987d 14 seconds ago 211MB
ubuntu 16.04 5e8b97a2a082 2 days ago 114MB
$ docker push gitlab.domain.net:6565/sfloyd/myapp:master
The push refers to repository [gitlab.domain.net:6565/sfloyd/myapp]
6852ea579a31: Pushed
5f7a44809386: Pushed
2de391e51d73: Layer already exists
d73dd9e65295: Layer already exists
686245e78935: Layer already exists
d7ff1dc646ba: Layer already exists
644879075e24: Layer already exists
master: digest: sha256:0f9f6c3d6ebc7f23f52a5b7be06457359de1c24959336de5b5e9e0a208a5b8c8 size: 1781
Ive pretty much exhausted everything I can think of. Anyone have a suggestion?
GitLab 10.8.1 Gitlab Runner 10.8.0
Also not sure if this matters but this is a private project.
Got it working in case someone else runs into this...
For some reason this worked as my login:
docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
But did not work when I hardcoded those values in.

Access denied when pulling Docker image from a repository I own

I built a Docker image that I pushed to Docker Hub under my account and removed locally after. But when I try to pull it, it throws the following error:
Error response from daemon: pull access denied for mightyspaj/dockerfile-assignment-1, repository does not exist or may require 'docker login'
I'm logged into the same account that owns the repository for this image and can perform other tasks (such as pushing) perfectly fine. The repository also definitely exists on Docker Hub, yet it fails when I try to pull it.
I've tried the following things:
Logging out of my account and back in again
Renaming config.json and regenerating it
Running an isolated Docker container with docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock:ro docker sh, then logging into my account and attempting to pull the image
Deleting and recreating the repository
All of these things still produce the same error. I'm baffled.
To note, both my client and engine versions are 17.12.0-ce. My OS is Ubuntu 17.10 (64-bit).
Console output
docker login
-> % docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: mightyspaj
Password:
Login Succeeded
docker tag
-> % docker tag dockerfile-assignment-1:latest mightyspaj/dockerfile-assignment-1
docker push
-> % docker push mightyspaj/dockerfile-assignment-1
The push refers to repository [docker.io/mightyspaj/dockerfile-assignment-1]
8427a8e6a29f: Pushed
655a921743e8: Pushed
8aa44edb7524: Pushed
60f1a2dc4cd8: Mounted from library/node
9185fe936b87: Mounted from library/node
e53f74215d12: Mounted from library/node
latest: digest: sha256:6c68220ba84f13d0229ef4458f22369410bb98764b908a75be0849c3003de160 size: 1582
docker image rm
-> % docker image rm mightyspaj/dockerfile-assignment-1
Untagged: mightyspaj/dockerfile-assignment-1:latest
Untagged: mightyspaj/dockerfile-assignment-1#sha256:6c68220ba84f13d0229ef4458f22369410bb98764b908a75be0849c3003de160
docker image pull
-> % docker image pull mightyspaj/dockerfile-assignment-1
Using default tag: latest
Error response from daemon: pull access denied for mightyspaj/dockerfile-assignment-1, repository does not exist or may require 'docker login'
I could fix the same issue only when I made the repository public. Make sure the repository is public then this is the set of instructions I followed in command line:
Once logout from docker hub and login again.
1- docker logout
2- docker login --username=YOURUSERNAME
Enter password when asked
3- docker pull repositoryName"/"imageName[:tag]
if "tag" is not included the default value will be "latest".
Then check the images by docker images command to check if its been pulled.
After pulling is done I made the repository private again.
This solution is only valid on private docker repositories!!
First try to login on your private repo e.g:
docker login dockerrepo.example.com
Then
If you build new image with dockerfile based on image in your private repository then you must prefix your base image with private repository url:
FROM PRIVATE_REPO_URL + IMAGE_INFO
sample:
PRIVATE_REPO_URL --> dockerrepo.example.com
BASE_IMAGE --> samples/java/jdk:1.6
Your dockerfile look like this:
FROM dockerrepo.example.com/samples/java/jdk:1.6

docker unauthorized: authentication required - upon push with successful login

While pushing the docker image (after successful login) from my host I am getting "unauthorized: authentication required".
Details below.
-bash-4.2# docker login --username=asamba --email=anand.sambamoorthy#gmail.com
WARNING: login credentials saved in /root/.docker/config.json
*Login Succeeded*
-bash-4.2#
-bash-4.2# docker push asamba/docker-whale
Do you really want to push to public registry? [y/n]: y
The push refers to a repository [docker.io/asamba/docker-whale] (len: 0)
faa2fa357a0e: Preparing
unauthorized: authentication required
Docker version: 1.9.1 (both client and server)
http://hub.docker.com has the repo created as well (asamba/docker-whale).
The /var/log/messages shows 403, I dont know if this docker. See below.
Apr 16 11:39:03 localhost journal: time="2016-04-16T11:39:03.884872524Z" level=info msg="{Action=push, Username=asamba, LoginUID=1001, PID=2125}"
Apr 16 11:39:03 localhost journal: time="2016-04-16T11:39:03.884988574Z" level=error msg="Handler for POST /v1.21/images/asamba/docker-whale/push returned error: Error: Status 403 trying to push repository asamba/docker-whale to official registry: needs to be forced"
Apr 16 11:39:03 localhost journal: time="2016-04-16T11:39:03.885013241Z" level=error msg="HTTP Error" err="Error: Status 403 trying to push repository asamba/docker-whale to official registry: needs to be forced" statusCode=403
Apr 16 11:39:05 localhost journal: time="2016-04-16T11:39:05.420188969Z" level=info msg="{Action=push, Username=asamba, LoginUID=1001, PID=2125}"
Apr 16 11:39:06 localhost kernel: XFS (dm-4): Mounting V4 Filesystem
Apr 16 11:39:06 localhost kernel: XFS (dm-4): Ending clean mount
Apr 16 11:39:07 localhost kernel: XFS (dm-4): Unmounting Filesystem
Any help is appreciated, please let me know if you need further info. I did the push with -f as well. No luck!
You'll need to log in to Docker.
Step 1: log in to docker hub
Based on #KaraPirinc's comment, in Docker version 17 in order to log in:
docker login -u username --password-stdin
Then enter your password when asked.
Step 2: create a repository in the docker hub.
Let's say "mysqlserver:sql".
docker push <user username>/mysqlserver:sql
OK! never mind; I found the solution. with 403 Suspected that the HTTP is not going to the right URL.
Change the file which has the login credentials stored the ~/.docker/config.json from the default generated of
{
"auths": {
"docker.io": {
"auth": "XXXXXXXXXXXXX",
"email": "x.y#gmail.com"
}
}
}
to - Note the change from docker.io -> index.docker.io/v1. That is the change.
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "XXXXXXXXXXXXX",
"email": "x.y#gmail.com"
}
}
}
Hope that helps.
Note that the auth field should be 'username:password" base64 encoded.
for example: "username:password" base64 encoded is "dXNlcm5hbWU6cGFzc3dvcmQ="
so your file would contain:
"auth": "dXNlcm5hbWU6cGFzc3dvcmQ="
The solution you posted is not working for me...
This is what works for me:
Create the repository with the desired name.
When committing the image, name the image like the repository, including the username <dockerusername>/desired-name. For example, radu/desired-name.
if you are using heroku, be sure you did not forget to "heroku container:login" before pushing.
The problem newbies face is that we tend to treat docker hub repository just like a maven repository and think that it might contain many a different files, folders and other contents.
A docker repository on the other hand is just a single image, it does not contain anything else. It can hold different versions of the same image, but its going to contain just one image.
So, name your repository on docker hub the same name as the image you want to push into it, and use your dockerhub username as prefix. For eg, if your username is myusername and your image name is docker-whale , make sure to name your dockerhub repository as docker-whale and use the below commands to tag and push your image to repository:
docker logout # to make sure you're logged out and not cause any clashes
docker tag <imageId> myusername/docker-whale # use :1.0.0 for specific version, default is 'latest'
docker login --username=myusername # use the username/pwd to login to docker hub
docker push myusername/docker-whale # use :1.0.0 for pushing specific version, default is 'latest'
I had the same problem but i fixed it with push with specified url.
as: docker login -u https://index.docker.io/v1/
console output:
The push refers to a repository [docker.io/<username>/richcity]
adc9144127c1: Preparing
4db5654f7a64: Preparing
ce71ae73bc60: Preparing
e8e980243ee4: Preparing
d773e991f7d2: Preparing
bae23f4bbe95: Waiting
5f70bf18a086: Waiting
3d3e4e34386e: Waiting
e72d5d9d5d30: Waiting
8d1d75696199: Waiting
bdf5b19f60a4: Waiting
c8bd8922fbb7: Waiting
unauthorized: authentication required
1010deiMac:dockerspace whoami$ docker login -u <username> https://index.docker.io/v1/
Password:
Login Succeeded
1010deiMac:dockerspace whoami$ docker push <username>/richcity
The push refers to a repository [docker.io/<username>/richcity]
adc9144127c1: Pushed
4db5654f7a64: Pushed
ce71ae73bc60: Pushed
e8e980243ee4: Pushed
d773e991f7d2: Pushed
bae23f4bbe95: Pushed
5f70bf18a086: Pushed
3d3e4e34386e: Pushing [=============> ] 45.07 MB/165.4 MB
e72d5d9d5d30: Pushed
8d1d75696199: Pushing [> ] 1.641 MB/118.1 MB
bdf5b19f60a4: Pushing [============> ] 142 MB/568.4 MB
c8bd8922fbb7: Pushing [========================> ] 59.44 MB/121.8 MB
I was running into a similar issue with a similarly unhelpful error message, but it turned out to be because I was trying to push an image that I had built against a docker-machine managed instance.
When I logged into the instance itself, did docker login and docker push everything worked fine.
In case it helps anyone, I managed to resolve this with the following command at the prompt:
az acr login -n MyContainerName
After this, I could run docker push successfully.
Though the standard process is to login and then push to docker registry, trick to get over this particular problem is to login by providing username and password in same line.
So :
docker login -u xxx -p yyy sampledockerregistry.com/myapp
docker push sampledockerregistry.com/myapp
Works
whereas
docker login sampledockerregistry.com
username : xxx
password : yyy
Login Succeeded
docker push sampledockerregistry.com/myapp
Fails
Even I logged in and checked all the configuration, it still does not work !!!
It turned out that when I build my docker, I forget to put my username before the repo name
docker build docker-meteor-build
(build successfully)
And then when I pushed to my repository, I used
docker push myname/docker-meteor-build
It will show the unauthorized authentication required
So, solution is then name of build and the push should be exactly the same
docker build myname/docker-meteor-build
docker push myname/docker-meteor-build
Here the solution for my case ( private repos, free account plan)
https://success.docker.com/Datacenter/Solve/Getting_%22unauthorized%3A_authentication_required%22_when_trying_to_push_image_to_DTR
The image build name to push has to have the same name of the repos.
Example:
repos on docker hub is: accountName/resposName
image build name "accountName/resposName" -> docker build -t accountName/resposName
then type
docker push accountName/resposName:latest
That's all.
My problem was an invalid Authorization token after 5 minutes.
The push took more than 5 minutes because of the image size.
I've fixed it by increasing the "Authorization token duration" to 10 minutes.
If you are pushing a new private image for the first time, make sure your subscription supports this extra image.
Docker allows you to have 6 private images named, even if you only pay for 5, but not to push that 6th image. The lack of an informative message is confusing and irritating.
What worked for me was to create a new repository and rename the image with
$ docker tag image_id myname/server:latest
Make sure you have more slots for private images.
In my case I converted a user into an organization and it lost it's one free private image, so previous pushes that worked, no longer worked.
Same problem here, during pushing image:
unauthorized: authentication required
What I did:
docker login --username=yourhubusername --email=youremail#company.com
Which it printed:
--email is deprecated (but login succeeded still)
Solution: use the latest login syntax.
docker login
It will ask for both username and password interactively. Then the image push just works.
Even after using the new syntax, my ~/.docker/config.json looks like this after logged in:
{
"auths": {
"https://index.docker.io/v1/": {}
},
"credsStore": "osxkeychain"
}
So the credential is in macOS' keychain.
Try docker logout first, then relogin with docker login
You can mv the xxx/.docker/config.json file somewhere for handle it.
Then try to login again for create new config.json file.
#mv xx/.docker/config.json xx/.docker/config_old.json
#docker login https://index.docker.io/v1/
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: YOUR USERNAME
Password: YOUR PASSWORD
WARNING! Your password will be stored unencrypted in /xxx/.docker/config.json.
Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
I had a similar problem.
Error response from daemon: Get https://registry-1.docker.io/v2/hadolint/hadolint/manifests/latest: unauthorized: incorrect username or password
I found out out that even if I login successfully with the docker login command, any pull failed.
I tried to clean up the ~/.docker/config.json but nothing improved.
Looking in the config file I've seen that the credentials were not saved there but in a "credsStore": "secretservice".
In Linux this happen to be the seahorse or Passwords and Keys tool.
I checked there and I cleanup all the docker hub login.
After this a new docker login worked as expected.
in your configuration file ~/.docker/config.json add
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "XXXXXXXXXXXXX",
"email": "my_email#gmail.com"
}
}
}
where XXXXX is base64 encoding of your username:password (the : is included) of https://hub.docker.com
in my case i had the same error with a pull. the problem (under windows) was provoked by double docker running process, so a kill them all and restart one service and it works .
I have received similar error for sudo docker push /sudo docker pull on ecr repository.This is because aws cli installed in my user(abc) and docker installed in root user.I have tried to run sudo docker push on my user(abc)
Fixed this by installed aws cli in root , configured aws using aws configure in root and run sudo docker push to ecr on root user
If you running windows 7 docker Registry
Start **Docker Quick Start terminal** run (this terminal enables connection ) Until you pushed images , that will keep token alive .
Login
docker login
Make sure you tag the image with username
docker build -f Dockerfile -t 'username'/imagename
push image
docker image push username/imagename
Note: image name all lowercase
I tried all the methods I can find online and failed. Then I read this post and get some ideas from #Alex answer. Then I search about ""credsStore": "osxkeychain"" which is used in my config.json. The I follow this link https://docs.docker.com/engine/reference/commandline/login/ to logout and then login again. Finally, I can push my image successfully.
I had the same problem and I can fix it.
change the ~/.docker/config.json file as below
{
"auths": {
"XxX": {
"auth": "XxX"
}
}
}
and do not forget to restart docker service.
service docker restart
enjoy
i was facing the same problem with Heroku and Docker, the solution was
docker login
docker build . -t <project_name>
heroku container:login
heroku container:push web -a <project_name>
I had the same problem but I fixed it with push with a specified URL:
docker login -u https://index.docker.io/v1/
Just curious to know what could be the cause for this issue?
Old post but had same issue and couldn't find the answer.
NOTE: the Docker tag is case sensitive to Azure loginserver name.
I was uploading to Azure container. Container was named "LearnContainer81"
Loginserver was "learncontainer81.azurecr.io"
When I did the tag in Docker, I did it with "LearnContainer81.azurecr.io/X" and it gives unauthorised. Did tag again in lowercase as per Loginserver for Azure. This then uploaded fine.
Its the problem with the proxy.
Turn off the VPN if you are working on any.
https://forums.docker.com/t/failed-with-status-401-unauthorized/11023/3
I'm using my self-hosted docker registry, where I terminate HTTPS/SSL first on another server (such as nginx or trafficserver), and then pass the traffic to registry over non-encrypted HTTP. After a lot of research, I managed to get it to work.
i) the problem is caused by not having X-Forwarded-Proto -header set in PATCH -requests, resulting in 401 error. See https://github.com/distribution/distribution/issues/1177#issuecomment-155718420
ii) nginx version 18 (and lower such as Ubuntu Bionic and Focal) seems not to pass the
proxy_set_header X-Forwarded-Proto https;
for PATCH (POST works ok), but nginx version 21 works ok.
Also Apache Trafficserver seems to pass the headers properly, once enabled.
Make sure your docker repositry name matches your local docker repo name.
e.g lets say if you local repo name "kavashgar/nodjsapp"
then your should also have a repo names "kavashgar" in docker hub

Resources