denied: requested access to the resource is denied when pushing image to gitlab registry

Asked 26/8, 2019 at 8:49 Answered 18/1 at 22:48

I'm trying to push an image to gitlab registry.

I've done it many times, so I wonder why I get this error.

I build the image with latest tag:

Successfully tagged registry.gitlab.com/mycompany/rgpd_api:latest

Then I login and I push:

docker login registry.gitlab.com -u gitlab+deploy-token-91931 
docker push registry.gitlab.com/mycompany/rgpd_api:latest

But I get:

The push refers to repository [registry.gitlab.com/mycompany/rgpd_api]
be679cc302b9: Preparing 
denied: requested access to the resource is denied

I gave gitlab+deploy-token-91931 token both read_repository and read_registry rights.

My repo is:

https://gitlab.com/mycompany/rgpd_api

I checked with docs page: https://docs.gitlab.com/ee/user/project/container_registry.html

But when I do it through Gitlab CI, with gitlab-ci-token

I can push it normally.

I also tried to regenerate a new token, but still same issue.

How can I fix it ?

Tarsia answered 26/8, 2019 at 8:49 Comment(6)

I think the docker login is not right, you can get your correct url from Packages > Container Registry – Nietzsche 26/8, 2019 at 9:38

and for -u to work you need -p – Nietzsche 26/8, 2019 at 9:39

Yep, I checked the url is OK. – Tarsia 26/8, 2019 at 10:14

Also, when you dont put -p, it will ask your passwork interactively – Tarsia 26/8, 2019 at 10:15

Did you solve it? – Barocchio 14/9, 2020 at 11:44

Yes, I will post the answer after lunch time :) – Tarsia 14/9, 2020 at 12:5

I've stumbled upon this question as well and it turns out that

Group level Deploy tokens can be used to push images to group level container registry similarly to a PAT token with API access or other applicable scopes.
The image must to be tagged with the tag that matches an existing project within the group.
Any image tagged differently will be rejected with the denied: requested access to the resource is denied error message.

So, with the setup below:

GitLab group called mytest
Project within that group called hello-world
Docker image tagged as registry.gitlab.com/mytest/hello-world
Deploy token created for an entire group
Docker daemon authorized to push to that registry by cat "<deploy_token>" | docker login -u "<token_username>" --password-stdin registry.gitlab.com

You will get the following results:

Successful push for docker push registry.gitlab.com/mytest/hello-world because such project exists within the group
denied: requested access to the resource is denied if you try to push an image tagged with the name of the project that does not exist in the group like docker push registry.gitlab.com/mytest/no-project

So, again, image must be tagged to match an existing path within te group, like an existing project within the group or a subgroup.

Mortensen answered 19/4, 2022 at 0:16 Comment(4)

Thanks, you saved my day. When I create a new tag "resource denied" problems are solved. – Flory 26/1, 2023 at 14:11

very nice, tons of thanks – Harrie 2/8, 2023 at 13:46

Is this documented anywhere? I'm also finding that the tag suffix (part after :) also has to match a branch in the project. So -t <project-name>:<project-branch> seems to be the only thing allowed. – Wack 10/8, 2023 at 20:21

docs.gitlab.com/ee/user/packages/container_registry/… is the doc. The path it provides as an example is the minimum path, you can be more specific if you wish. <registry server>/<namespace>/<project>[/<optional path>] – Roa 16/11, 2023 at 11:45

Make sure you have proper configuration in settings.

Go to Settings of project, then "Visibility, project features, permissions" and check "Container registry : Every project can have its own space to store its Docker images" (for members only or for everyone, up to you). Otherwise, the push and pull will be denied.

This happened to me and that's how I solved it.

Angelitaangell answered 17/7, 2022 at 8:50 Comment(0)

My error was to use a deploy token to push a image to a registry.

A deploy token can be used to pull an image, but not push it.

So, instead, you can generate a Personal Access Token. You should add at least permissions:

read_registry, write_registry

Tarsia answered 14/9, 2020 at 14:27 Comment(4)

Citation for this? I have the same problem and if what you say is true this is a major WTF as you can add a write_registry scope to the group deploy token. – Esmond 26/12, 2020 at 15:5

This is not correct. See docs.gitlab.com/ee/user/packages/container_registry/… – Mer 28/4, 2023 at 9:11

That's not correct. Deploy tokens work fine to push images – Circinus 24/10, 2023 at 14:11

When creating a Deploy Token with write_registry it fails a docker push every time. But create a Deploy Token with read_registry AND write_registry and it works fine?? See this link (from above comment: docs.gitlab.com/ee/user/packages/container_registry/…) which reads

All of these authentication methods require the minimum scope:  For read (pull) access, to be read_registry. For write (push) access, to be write_registry and read_registry.

– Guideboard 26/10, 2023 at 13:2

you can make docker logout your registry and login again. It's recreate your token. this work in my case.

Hullo answered 19/1, 2023 at 15:13 Comment(0)

The token permission requires BOTH write_registry AND read_registry. Even though the documentation for write_package_registry says "Allows read, write and delete access to the package registry."...

Circinus answered 24/10, 2023 at 14:13 Comment(1)

What the f**k. Since api includes read_api, write_repository includes read_repository. But write_registry cannot work without read_registry although I only do docker push. Thank you for saving my day! – Scranton 12/8 at 10:8

In my case I wasn't aware of the following restriction in the Gitlab documentation, relating to the Gitlab image name structure:

"You can append additional names to the end of a container image name, up to two levels deep"

My original image name was three levels deep under the group and project names, eg:

<registry server>/<namespace>/<project>/my/image/name:<tag>

When pushing this image name to my Gitlab image registry, the Docker CLI aborted part way through its 'preparing' stage with error message denied: requested access to the resource is denied.

After finding the above guidance in the Gitlab documentation I shortened the image name to <registry server>/<namespace>/<project>/my/name:<tag> and was able to successfully push the image.

A confusing trap for the unwary, because the original three-level image name had pushed successfully to a private Docker registry.

Putout answered 18/1 at 22:48 Comment(0)

Just throwing in the solution from my recent experience:

If you're using sudo docker push it's possible/likely that it's not using your saved credentials, but rather trying to authenticate with non-existent root user credentials on your machine.

Try the push with docker push instead and see if it's successful.

Shelton answered 25/10, 2023 at 16:31 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags