How to pull private images with 1.0

I have not had time to document this yet, so I figured I would write a quick post. If you are coming from Drone 0.8 you may be wondering how to configure credentials required to pull private images defined in your yaml, for example:

kind: pipeline
name: default

- name: build
  - go build
  - go test

In the above example, is a private registry and requires username and password to pull the image. To provide Drone with the credentials you need to create a secret named dockerconfigjson, where the secret value is valid docker configuration file with your authentication credentials.

NOTE when you add the registry credentials as a secret you probably need to enable the secret for pull requests. I am pretty sure this is required, but I might be wrong. So for the moment, assume this is required.

The docker configuration file should look something like this:

	"auths": {
		"": {
			"auth": "YW11cmRhY2E6c3VwZXJzZWNyZXRwYXNzd29yZA=="

You can then reference this secret in your yaml

kind: pipeline
name: default

- name: build
  - go build
  - go test

- dockerconfigjson

If you are unfamiliar with this file please consult the official Docker documentation. Do not try to construct this file by hand. There is also a nice article about the config file format here:

If you are having difficulty with registry secrets please provide the following:

  1. version of Drone you are using
  2. a copy of your yaml configuration file.
  3. the output of drone secret info <repo> --name=<secret> for your secret
  4. the output of drone build info <repo> <build> for your build
  5. the output of your Drone runner logs with trace logging enabled
  6. the output of your Docker daemon logs
  7. if the build is a pull request, check to make sure the secret is enabled for pull requests.
  8. if your registry is insecure, make sure the docker daemon is configured properly.

Option 2

The second option would be to pass this file to the agent. This will make the credentials available globally to all builds and all repositories. First you would mount the config file into your agent container:

docker run \
-v /root/.docker/config.json:/root/.docker/config.json

Then you need to pass the agent the path of the mounted file:

docker run \
-e DRONE_DOCKER_CONFIG=/root/.docker/config.json

@bradrydzewski Per option 2, this is just going forward with 1.0? This doesn’t working with 0.8 currently, yea?

correct, this thread is only applicable for 1.0

Are you sure about the name of the secret? .dockerconfigjson starts with a dot and that’s not allowed for docker secrets nor kubernetes secrets.

yes, I am sure this is the correct secret name in Drone.

I was able to get this to work on my drone projects. Thanks for this, since global registry creds with k8s are currently undocumented I was having to pull the private base images by hand.

I’d be curious to see a version of this that worked with something like AWS ECR that requires regularly refreshing the token.

AWS ECR does not work using the methods described in this thread, because as you mentioned, it requires special logic to periodically generate docker credentials. You therefore need to use a plugin for this. There is a thread that discusses this in depth:

And in one of the comments a community-member posts a plugin they created:

Posting this here as a reminder for myself and incase anyone else hits this issue.

When using option 1 to authenticate make sure you paste the contents of your dockerconfigjson file into the Drone settings -> secrets for you application and not the kubernetes configuration secrets.

This seems obvious to me now but I wasted several hours trying to work this out. Hopefully it saves someone else some time.

1 Like

@bradrydzewski Is there an official drone way to pull and use AWS ECR images for steps for 1.0? Or do you have a recommendation for that given the AWS login credential fun I can’t just use dockerconfigjson.

Any ideas?

you can use a registry plugin to provide the agent with ecr credentials:

I forgot to mention I am running on Kubernetes native, so I think that complicates things a bit right? Thanks for your quick response on this!

Actually, it looks like since our Kubernetes cluster already has permissions to our AWS ECR, I can just reference the image normally and it pulls it without any issue. Wish I would have just tried that first :joy:

Side note @bradrydzewski - Looks like on kubernetes native when pull: true is set is is still using an old version of the image, is this a known issue or am I missing something?

pull: true is not valid syntax for 1.0 (it was for 0.8). Instead you should use one of the following values:

pull: always
pull: if-not-exists
pull: never


Welp, it must be too early for me or something. Thanks again!

The first option doesn’t seem to work with kubernetes scheduler

For those with default credential store enabled, in order to get the config file bradrydzewski mentioned

  1. logout of docker
  2. remove credStore
  3. login to docker again
docker logout
# locate your docker config file. path should be ~/.docker/config.json
# and remove "credsStore": "xyz",
docker login --username # will prompt for password
# open ~/.docker/config.json again
# make a secret on drone with the content of the file, using only the auth part mentioned above

And for those rebellious enough, you can skip the hassle above by base64 encoding your credentials

cat <<EOF >> dockerconfigjson
	"auths": {
		"": {
			"auth": "$(base64 --input=credfile)"
# credfile content

Excuse me! I add the dockerconfigjson’s value to drone -> setting -> secrets but when i push my git ,my private image still pull error ,my drone server image version is 1 ,if you can help me i will very thankful !!

What is the best way to pull from aws ecr?
Is there no useful plugin like the drone-ecr?
I came up with a rather complicated cron-job version gathering the login data.