GitLab CI: How to Pull a Private Docker Image from AWS ECR in Your Pipeline

Using the Amazon Elastic Container Registry outside of AWS is not straightforward. There is no static username and password that you can generate once and use it forever. In this article, I will explore a possible solution for pulling from ECR in GitLab CI jobs.

Valentin Despa

Published in

DevOps with Valentine

7 min readOct 28, 2021

Let’s begin with a simple example:

do stuff:
    image: 12345678.dkr.ecr.us-east-1.amazonaws.com/myimage:latest 
    script: 
        - whoami

If you are trying to use a Docker image from a private Docker registry in GitLab CI, you may get an error similar to this one:

WARNING: Failed to pull image with policy "always": Error response from daemon: Get https://<accountId>.dkr.ecr.us-east-1.amazonaws.com/v2/<project>/manifests/latest: no basic auth credentials (manager.go:203:0s)ERROR: Job failed: failed to pull image “<accountId>.dkr.ecr.us-east-1.amazonaws.com/<project>” with specified policies [always]: Error response from daemon: Get https://<accountId>.dkr.ecr.us-east-1.amazonaws.com/v2/<project>/manifests/latest: no basic auth credentials (manager.go:203:0s)

GitLab CI: How to Pull a Private Docker Image from AWS ECR in Your Pipeline

Using the Amazon Elastic Container Registry outside of AWS is not straightforward. There is no static username and password that you can generate once and use it forever. In this article, I will explore a possible solution for pulling from ECR in GitLab CI jobs.

Written by Valentin Despa