Cloud Docker Rate Limit / Plugin Problems?

Hello everyone.

I know this has come up before but I haven’t quiet figured out a pattern that works. I’m reading this FAQ and it seems like most of the solution don’t work for the cloud version since we can’t mount a docker sock for example. (Security reasons)

I’m looking at the Docker-in-Docker solution. I need to use solution 1 I believe and I just wanted to confirm this, I didn’t think the rate limit applied once you’re logged in. Even with the free account.

To quote their website the way it seems to work:

The rate limits of 100 container image requests per six hours for anonymous usage, and 200 container image requests per six hours for free Docker accounts are now in effect.

So since it’s tied to my account it SHOULD be counting against my quote not the annonymous requests coming from So shouldn’t this just work?

kind: pipeline
name: validation

  - name: docker
    image: plugins/docker
      repo: geekbeacon/beacon-bot
      auto_tag: true
      dockerfile: compose/Dockerfile-bot
      squash: true
      dry_run: true
        from_secret: DOCKER_USER
        from_secret: DOCKER_PASS

    - push
    - pull_request

Also for context this is the error I’m getting:

88 Step 1/11 : FROM node:16.7.0 6s
89 toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: Increase Rate Limits | Docker

Also from the FAQ which doesn’t seem to be working as advertised:

If you are building and publishing to Dockerhub, you provide username and password to the plugin via the settings section in the yaml (see below example). The plugins always executes a docker login using these credentials before it builds and publishes the image. This means that image pulls are going to be authenticated and will receive increased rate limits.

Unless the plugin isn’t working correctly this is not the behavior i’m seeing. If it was counting against my quota I wouldn’t be getting any issues, correct?

Drone does not expose secrets to pull requests by default for security reasons [1]. This means when you build a docker image for a pull request with dry run, the username and password are not injected, which means pulling images is going to be unauthenticated and subject to rate limits.


Ah, that makes sense! Thanks @bradrydzewski.

I suppose I can either roll the die to hope a PR will work if it’s not over quota or expose my docker credentials.

Thanks for the info.

I suppose I can […] expose my docker credentials.

I recommend reading more about signing your yaml. This can prevent unauthorized modification of your yaml, which in this particular case, could prevent someone from modifying your yaml in an attempt to expose your docker secrets.