Private Docker images
Private images on Airplane-hosted agents
Private images on Airplane-hosted agents
If you're using Airplane-hosted agents (the default), you can access private images by attaching an
environment variable named
DOCKER_PULL_SECRETS
. This variable should be a string in the Docker
credentials format: a base64-encoded JSON string with username
and password
fields.bashCopied1$ echo '{"username": "MY_USERNAME", "password": "SECRET_PASSWORD"}' | base642eyJ1c2VybmFtZSI6ICJNWV9VU0VSTkFNRSIsICJwYXNzd29yZCI6ICJTRUNSRVRfUEFTU1dPUkQifQo=
Then create a secret Config variable with your base64-encoded JSON string
and pass it into your task.
Airplane-hosted agents do not yet support other forms of registry authentication. For GCP and AWS
integration, see self-hosted agents below.
Private images on self-hosted agents
Private images on self-hosted agents
Self-hosted agents run in a customer's environment and can utilize native
features of GCP and AWS to access private registries hosted with the respective cloud provider.
If the agent detects that a task is configured with a private image from
Amazon Elastic Container Registry (ECR) or
Google Artifact Registry (GAR), then it will use a
cloud-specific credential helper to fetch credentials for the image before starting up a task
runner.
In order for this to work correctly, the agent IAM role (in AWS) or service account (in GCP) needs
permissions to generate credentials for the corresponding registries.