I wanted to use access token to do push/pull docker images. I read the information on https://docs.docker.com/registry/spec/auth/jwt/

I am getting “requested access to the resource is denied” error when I use the generated token to push/pull image to my private repository. I’m hoping someone here had resolved this issue before and can help me out.

I use my docker’s username and password to generate an access token with this script.

reponame=“userlogin/private-repo”
actions=“push,pull”
headers="Authorization: Basic (echo -n "{username}:{password}" | base64)" response=(curl -s -H “$headers” “https://auth.docker.io/token?service=registry.docker.io&scope=repository:$reponame:$actions”)
echo $response | jq ‘.token’ | xargs echo

I put the generated token in ~/.docker/config.json

cat ~/.docker/config.json { "HttpHeaders": { "Authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6 ...", "User-Agent": "Docker-Client/19.03.1 (linux)" } } docker pull userlogin/private-repo:tag1
Error response from daemon: pull access denied for userlogin/private-repo, repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied

I put the token through the jwt decoder and the payload section looks like this

{
“access”: [
{
“type”: “repository”,
“name”: “userlogin/private-repo”,
“actions”: [
“push”,
“pull”
]
}
],
“aud”: “registry-docker-io”,
“exp”: 1568139741,
“iat”: 1568139441,
“iss”: “auth-docker-io”,
“jti”: “lx9zfVptM9eLhjgnEjih”,
“nbf”: 1568139141,
“sub”: “557269cb-00f6-4e0e-b02b-581994894914”
}

I was able to push/pull the image to my private repo with “docker login” credential.

I suspect the token expired when you tried using it. Docker Hub does not currently support long-lived tokens, so they can only be used for immediate action after; see the discussion on https://github.com/moby/moby/issues/29257#issuecomment-266121974

The token was issued for 5 minutes. I was very sure that I used the token right after it was generated and within the 5 minutes window.