Private Docker images
Private images on Airplane-hosted agents
If you're using Airplane-hosted agents (the default), you can access private images by attaching an
environment variable named
DOCKER_PULL_SECRETS
. This variable should be a string in the Docker
credentials format: a base64-encoded JSON string with username
and password
fields.bashCopied1$ echo '{"username": "MY_USERNAME", "password": "SECRET_PASSWORD"}' | base642eyJ1c2VybmFtZSI6ICJNWV9VU0VSTkFNRSIsICJwYXNzd29yZCI6ICJTRUNSRVRfUEFTU1dPUkQifQo=
Then create a secret Config variable with your base64-encoded JSON string
and pass it into your task.
Airplane-hosted agents do not yet support other forms of registry authentication. For GCP and AWS
integration, see self-hosted agents below.
Private images on self-hosted agents
Self-hosted agents run in a customer's environment and can utilize native
features of GCP and AWS to access private registries hosted with the respective cloud provider.
On GCP, ensure that the instance running the agent has the necessary GCP
permissions to access the GCR repository. The agent will automatically use the instance's IAM
permissions to acquire Docker credentials when pulling from
*.gcr.io
registries.On AWS, ensure that the instance running the agent has the necessary IAM
permissions to pull from Amazon ECR. The agent will automatically use the instance's IAM permissions
to acquire Docker credentials when pulling from
*.amazonaws.com
registries.