Private Docker images

If you're using Airplane-hosted agents (the default), you can access private images by attaching an environment variable named DOCKER_PULL_SECRETS. This variable should be a string in the Docker credentials format: a base64-encoded JSON string with username and password fields.

bash
Copied
1
$ echo '{"username": "MY_USERNAME", "password": "SECRET_PASSWORD"}' | base64
2
eyJ1c2VybmFtZSI6ICJNWV9VU0VSTkFNRSIsICJwYXNzd29yZCI6ICJTRUNSRVRfUEFTU1dPUkQifQo=

Then create a secret Config variable with your base64-encoded JSON string and pass it into your task.

Self-hosted agents run in a customer's environment and can utilize native features of GCP and AWS to access private registries hosted with the respective cloud provider.

On GCP, ensure that the instance running the agent has the necessary GCP permissions to access the GCR repository. The agent will automatically use the instance's IAM permissions to acquire Docker credentials when pulling from *.gcr.io registries.

On AWS, ensure that the instance running the agent has the necessary IAM permissions to pull from Amazon ECR. The agent will automatically use the instance's IAM permissions to acquire Docker credentials when pulling from *.amazonaws.com registries.