GitLab Runner unable to pull private image on EKS

We have a private Git repository hosted on We have configured the CI pipelines to use private images hosted on DockerHub and while using the GCE shared runners we are able to run the jobs we have configured. We have then configured a private runner on our EKS cluster in us-west-2 and we are able to run ‘echo hello world’ type jobs with public images.

Unfortunately the combination of GitLab Runner + EKS + private image leads into this error:
ERROR: Job failed: image pull failed: rpc error: code = Unknown desc = Error response from daemon: pull access denied for private/base, repository does not exist or may require ‘docker login’.

We have configured DOCKER_AUTH_CONFIG correctly since the pipelines are able to pull from the shared runners.

Some of the things we tried explicitly.
In .gitlab-ci.yml:

hello alpine:
  image: alpine
    - echo hello alpine

hello private:
  image: "private/base:latest"
    - echo hello private repo

hello hub:
  image: ""
    - echo hello hub

And for the DOCKER_AUTH_CONFIG variable under the CI/CD settings:

  "auths": {
    "": {
      "auth": "xxxxxxxxxxxxx"
    "": {
      "auth": "xxxxxxxxxxxxx"

With private being our actual private repository name.

The alpine job runs fine, the ones with private/base or just do not work at all and give us the errors:

Running with gitlab-runner 11.10.1 (1f513601)
  on Kubernetes runners Z1Fs87ZN
Using Kubernetes namespace: gitlab-managed-apps
Using Kubernetes executor with image ...
Waiting for pod gitlab-managed-apps/runner-z1fs87zn-project-12110245-concurrent-3jjx2f to be running, status is Pending
ERROR: Job failed: image pull failed: rpc error: code = Unknown desc = Error response from daemon: pull access denied for, repository does not exist or may require 'docker login'

Again on the shared runners with the exact same settings all 3 jobs are completely fine:

Running with gitlab-runner 11.11.0-rc2 (7f58b1ec)
  on docker-auto-scale 0277ea0f
Using Docker executor with image ...
Pulling docker image ...
Using docker image sha256:aaf9aaaa86b6177011d2f5825778658a0aaaad601e48bb54b4aaa25b067faaaa for ...
Running on runner-0277ea0f-project-12110245-concurrent-0 via runner-0277ea0f-srm-1557526255-0d27ad05...

This is with EKS 1.12, gitlab cloud and Gitlab Runner 11.10.1. We have other jobs running in this EKS cluster that are not related to GitLab that can pull the private images without any issue, and since the same configuration works on the shared runners I really suspect an issue with Gitlab Runner specifically under EKS.

1 Like

This turns out to be a bug that’s been opened for over a year:

There are some workarounds: