The error scenario
You run a docker pull — from the command line, a Dockerfile build, or a docker-compose up — and Docker refuses:
$ docker pull mycompany/myapp:latest
Error response from daemon: pull access denied for mycompany/myapp,
repository does not exist or may require 'docker login':
denied: requested access to the resource is denied
The full error message is:
pull access denied, repository does not exist or may require 'docker login'
Three things can trigger this: you're not authenticated, the image name has a typo, or the repository doesn't exist at all. The fix is different for each.
What's causing it
- Not logged in to the registry — private repos require authentication before Docker will even confirm they exist
- Typo in the image name or tag —
nginx:lastestinstead ofnginx:latestis a classic one - Wrong registry — the image lives on
ghcr.ioor a self-hosted registry, not Docker Hub - Image was never pushed or was deleted — the repo genuinely doesn't exist
- Expired or revoked credentials — Docker Hub personal access tokens expire after 1 year by default (or immediately if someone rotated them manually)
Quick diagnosis
Check your current login state
cat ~/.docker/config.json
Look at the auths key. Empty object? Missing your registry URL? You're not logged in — that's your answer right there.
Verify the image name
# Search public images on Docker Hub
docker search postgres
# Check available tags via the API
curl -s "https://hub.docker.com/v2/repositories/library/node/tags/?page_size=10" | python3 -m json.tool | grep '"name"'
Also scan your docker-compose.yml or Dockerfile for the exact image reference. A missing namespace (myapp vs myorg/myapp) or a one-character tag typo is surprisingly easy to miss.
Fix 1 — Log in to Docker Hub
Nine times out of ten, this is all you need:
docker login
Enter your Docker Hub username and a personal access token. Docker stopped accepting plain passwords for CLI auth — generate a token at hub.docker.com → Account Settings → Security → New Access Token.
You should see:
Login Succeeded
Then retry the pull:
docker pull mycompany/myapp:latest
Fix 2 — Log in to a non-Docker Hub registry
Wrong registry is the sneaky one. The image name looks right, but it lives somewhere other than Docker Hub.
GitHub Container Registry (ghcr.io)
docker login ghcr.io -u YOUR_GITHUB_USERNAME -p YOUR_GITHUB_TOKEN
docker pull ghcr.io/owner/image:tag
The GitHub token needs the read:packages scope. Without it, you'll get the same access denied error even with valid credentials.
AWS ECR
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin \
123456789.dkr.ecr.us-east-1.amazonaws.com
docker pull 123456789.dkr.ecr.us-east-1.amazonaws.com/myimage:latest
Self-hosted registry
docker login registry.mycompany.com
docker pull registry.mycompany.com/myapp:latest
Fix 3 — Correct the image name
Still getting the error after logging in? The image name is likely wrong. These are the most common mistakes:
- Missing namespace:
myappinstead ofmyorg/myapp - Missing registry prefix:
myimageinstead ofregistry.mycompany.com/myimage - Tag typo:
:lastest,:mian, or:3.1when the actual published tag is:3.1.0
# Compare against what you have locally
docker images
# Pull with a verified, explicit name
docker pull nginx:1.25-alpine
Permanent fix — Persistent credential storage
Re-running docker login every session gets old fast. A credential helper stores your logins securely so Docker handles auth automatically.
Linux
# Install the pass-based credential helper
VERSION=0.8.0
wget https://github.com/docker/docker-credential-helpers/releases/download/v${VERSION}/docker-credential-pass-v${VERSION}.linux-amd64
chmod +x docker-credential-pass-v${VERSION}.linux-amd64
sudo mv docker-credential-pass-v${VERSION}.linux-amd64 /usr/local/bin/docker-credential-pass
# Tell Docker to use it
mkdir -p ~/.docker
echo '{"credsStore": "pass"}' > ~/.docker/config.json
macOS / Windows
Docker Desktop handles this for you — credentials go into the system keychain automatically. One docker login and it persists across reboots.
For CI/CD pipelines
Seeing this error in GitHub Actions or GitLab CI? Runners don't come with Docker credentials pre-loaded. You need an explicit login step.
# GitHub Actions
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# GitLab CI
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
Keep credentials in your CI platform's secret manager. Hardcoding them in config files is a security incident waiting to happen.
Verify the fix worked
After logging in or correcting the image name:
docker pull mycompany/myapp:latest
A successful pull looks like this:
latest: Pulling from mycompany/myapp
a8b37f1f5f40: Pull complete
Digest: sha256:abc123...
Status: Downloaded newer image for mycompany/myapp:latest
Confirm it landed locally:
docker images | grep myapp
Tips
- Pin to explicit version tags in production —
myapp:1.4.2is far safer thanmyapp:latest, which can silently point to a different image after the next push - Rotate access tokens regularly. Pull-only tokens need read permissions only — no reason to grant write access to a deployment service account
- When provisioning service accounts for a self-hosted registry, use a strong random password — ToolCraft's password generator does this client-side without sending anything to a server
- For team
docker-composeworkflows, adddocker loginto your setup script or Makefile. New team members will thank you for not hitting this on day one