Using Third-Party Private Container Registries

Users sometimes need CI services access container images from a private third-party container registry such as AWS’s ECR. There are two reasons this would normally happen:

  • A container in containers.git is based on a private container image. e.g. Its Dockerfile has FROM <private registry>/<container>
  • A Docker Compose App references a private container image. e.g. Its docker-compose.yml has a line like image: <private registry>/<container>

In either case, CI will need read access to the private container image in order to construct a Target. The Factory Definition (ci-scripts.git) provides a way to configure this.

Configuring for AWS ECR

CI uses the aws ecr get-login-password command to authenticate. A factory can be configured to use this by first providing an AWS credentials file to CI:

$ fioctl secrets update aws_creds="$(cat $HOME/.aws/credentials)"


Using a personal credentials file is probably not secure. An AWS admin should create an IAM account that can only pull from the container registry.

Then set the factory configuration with something like:

# factory-config.yml
- type: aws
  region: us-east-2
  aws_creds_secret_name: aws_creds