diff --git a/README.md b/README.md
index 6f4f454c1..2a5a22214 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ expect - see [Known Issues](#known-issues).
       - [Caching Layers](#caching-layers)
       - [Caching Base Images](#caching-base-images)
     - [Pushing to Different Registries](#pushing-to-different-registries)
+      - [Credential Provider Priorities](#credential-provider-priorities)
       - [Pushing to Docker Hub](#pushing-to-docker-hub)
       - [Pushing to Google GCR](#pushing-to-google-gcr)
       - [Pushing to GCR using Workload Identity](#pushing-to-gcr-using-workload-identity)
@@ -621,6 +622,11 @@ kaniko comes with support for GCR, Docker `config.json` and Amazon ECR, but
 configuring another credential helper should allow pushing to a different
 registry.
 
+#### Credential Provider Priorities
+
+By default kaniko will configure all built-in credential providers for you. These are `[default, env, google, ecr, acr, gitlab]`.
+You can (de)-activate credential helpers via the [`--credential-helpers`](#flag---credential-helpers) flag. The `default` credential helper will always be active and itself handles two sources: `DOCKER_AUTH_CONFIG` environment variable and `/kaniko/.docker/config.json` file, where priority is always given to `DOCKER_AUTH_CONFIG` and therefore can shadow credentials configured in the config file. If you want to disable `DOCKER_AUTH_CONFIG` you have to unset the environment variable explicitly `unset DOCKER_AUTH_CONFIG` prior to calling kaniko.
+
 #### Pushing to Docker Hub
 
 Get your docker registry user and password encoded in base64
diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go
index 63bddddc4..ba1cedd6d 100644
--- a/cmd/executor/cmd/root.go
+++ b/cmd/executor/cmd/root.go
@@ -178,7 +178,15 @@ var RootCmd = &cobra.Command{
 		}
 		if !opts.NoPush || opts.CacheRepo != "" {
 			if err := executor.CheckPushPermissions(opts); err != nil {
-				exit(fmt.Errorf("error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: %w", err))
+				logrus.Warnf("make sure you entered the correct tag name, that you are authenticated correctly, and try again.")
+				// mz280: remind users that DOCKER_AUTH_CONFIG gets prioritized by docker-cli
+				// https://github.com/docker/cli/pull/6171
+				_, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")
+				if ok {
+					logrus.Warnf("note that your DOCKER_AUTH_CONFIG env variable can shadow credentials from configfile")
+					logrus.Warnf("see https://github.com/osscontainertools/kaniko/issues/280#issuecomment-3498449955")
+				}
+				exit(fmt.Errorf("error checking push permissions: %w", err))
 			}
 		}
 		if err := resolveRelativePaths(); err != nil {
diff --git a/pkg/creds/creds.go b/pkg/creds/creds.go
index 950b7f5d9..c869052fb 100644
--- a/pkg/creds/creds.go
+++ b/pkg/creds/creds.go
@@ -17,7 +17,10 @@ limitations under the License.
 package creds
 
 import (
+	"fmt"
 	"io"
+	"os"
+	"strings"
 
 	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
 	"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
@@ -25,18 +28,32 @@ import (
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/v1/google"
 	"github.com/osscontainertools/kaniko/pkg/config"
+	"github.com/osscontainertools/kaniko/pkg/util"
 	"github.com/sirupsen/logrus"
 )
 
 // GetKeychain returns a keychain for accessing container registries.
 func GetKeychain(opts *config.RegistryOptions) authn.Keychain {
 	var helpers []string
+	var prios []string
+
+	_, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")
+	if ok {
+		prios = append(prios, "env:DOCKER_AUTH_CONFIG")
+	}
+
+	cf := util.DockerConfLocation()
+	_, err := os.Lstat(cf)
+	if err == nil {
+		prios = append(prios, fmt.Sprintf("file:%s", cf))
+	}
 
 	if len(opts.CredentialHelpers) == 0 {
 		helpers = []string{"env", "google", "ecr", "acr", "gitlab"}
 	} else {
 		helpers = opts.CredentialHelpers
 	}
+	prios = append(prios, helpers...)
 
 	keychains := []authn.Keychain{authn.DefaultKeychain}
 	for _, source := range helpers {
@@ -72,5 +89,6 @@ func GetKeychain(opts *config.RegistryOptions) authn.Keychain {
 		}
 	}
 
+	logrus.Infof("credential providers by priority: [%s]", strings.Join(prios, ", "))
 	return authn.NewMultiKeychain(keychains...)
 }