Private Docker images

Private images on Airplane-hosted agents

If you're using Airplane-hosted agents (the default), you can access private images by attaching an environment variable named DOCKER_PULL_SECRETS. This variable should be a string in the Docker credentials format: a base64-encoded JSON string with username and password fields.
bash
Copied
1
$ echo '{"username": "MY_USERNAME", "password": "SECRET_PASSWORD"}' | base64
2
eyJ1c2VybmFtZSI6ICJNWV9VU0VSTkFNRSIsICJwYXNzd29yZCI6ICJTRUNSRVRfUEFTU1dPUkQifQo=
Then create a secret Config variable with your base64-encoded JSON string and pass it into your task.
Airplane-hosted agents do not yet support other forms of registry authentication. For GCP and AWS integration, see self-hosted agents below.

Private images on self-hosted agents

Self-hosted agents run in a customer's environment and can utilize native features of GCP and AWS to access private registries hosted with the respective cloud provider.
If the agent detects that a task is configured with a private image from Amazon Elastic Container Registry (ECR) or Google Artifact Registry (GAR), then it will use a cloud-specific credential helper to fetch credentials for the image before starting up a task runner.
In order for this to work correctly, the agent IAM role (in AWS) or service account (in GCP) needs permissions to generate credentials for the corresponding registries.