Some private docker registries (the most prominent probably being AWS ECR) use non-standard ways of authentication. To be able to use this together with watchtower, we need to use a credential helper. To keep the image size small we've decided to not include any helpers in the watchtower image, instead we'll put the helper in a separate container and mount it using volumes. ### Example Example implementation for use with [amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper): ```Dockerfile FROM golang:latest ENV CGO_ENABLED 0 ENV REPO github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login RUN go get -u $REPO RUN rm /go/bin/docker-credential-ecr-login RUN go build \ -o /go/bin/docker-credential-ecr-login \ /go/src/$REPO WORKDIR /go/bin/ ``` and the docker-compose definition: ```yaml version: "3" services: watchtower: image: index.docker.io/containrrr/watchtower:latest volumes: - /var/run/docker.sock:/var/run/docker.sock - /.docker/config.json:/config.json - helper:/go/bin environment: - HOME=/ - PATH=$PATH:/go/bin - AWS_REGION= - AWS_ACCESS_KEY_ID= - AWS_SECRET_ACCESS_KEY= volumes: helper: {} ``` and for `/.docker/config.json`: ```json { "HttpHeaders" : { "User-Agent" : "Docker-Client/19.03.1 (XXXXXX)" }, "credsStore" : "osxkeychain", // ...or your prefered helper "auths" : { "xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : {}, "https://index.docker.io/v1/": {} }, "credHelpers": { "xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : "ecr-login", "index.docker.io": "osxkeychain" // ...or your prefered helper } } ```