Private Docker images

Private images on Airplane-hosted agents

If you're using Airplane-hosted agents (the default), you can access private images by attaching an environment variable named DOCKER_PULL_SECRETS. This variable should be a string in the Docker credentials format: a base64-encoded JSON string with username and password fields.

bash
Copied
1
$ echo '{"username": "MY_USERNAME", "password": "SECRET_PASSWORD"}' | base64
2
eyJ1c2VybmFtZSI6ICJNWV9VU0VSTkFNRSIsICJwYXNzd29yZCI6ICJTRUNSRVRfUEFTU1dPUkQifQo=

Then create a secret Config variable with your base64-encoded JSON string and pass it into your task.

Airplane-hosted agents do not yet support other forms of registry authentication. For GCP and AWS integration, see self-hosted agents below.

Private images on self-hosted agents

Self-hosted agents run in a customer's environment and can utilize native features of GCP and AWS to access private registries hosted on Google GCR and Amazon ECR, respectively.

On GCP, ensure that the instance running the agent has the necessary GCP permissions to access the GCR repository. The agent will automatically use the instance's IAM permissions to acquire Docker credentials when pulling from *.gcr.io registries.

On AWS, ensure that the instance running the agent has the necessary IAM permissions to pull from Amazon ECR. The agent will automatically use the instance's IAM permissions to acquire Docker credentials when pulling from *.amazonaws.com registries.