CodeBuild Remote Docker Host

The AWS CodeBuild remote runner uses Docker to your app and it’s dependencies. AWS CodeBuild already has Docker installed and uses a local docker daemon on the same CodeBuild machine. Since CodeBuild dynamically provisions new machines each run, docker layer caches cannot be reused.

You can speed up the AWS CodeBuild remote runner by using a remote instead of a local docker daemon. This allows the remote runner to reuse docker layers. It is a more cost-effective way to speed up the AWS CodeBuild runs than Fleets and is one of my favorite approaches.

Configure Remote Docker Host

To use a remote Docker host, the DOCKER_HOST env var.

Env Var Example Description
DOCKER_USER user Docker user. Useful to loging into DockerHub to increase the docker pull rate limit.
DOCKER_PASS pass Docker password. Useful to loging into DockerHub to increase the docker pull rate limit.
DOCKER_HOST ssh:// The remote docker host. Examples: ssh:// and tcp:// When using ssh, you also need to set JETS_SSH_KNOWN and JETS_SSH_KEY.
JETS_SSH_KEY SSM:/#{ssm_env}/JETS_SSH_KEY The private ssh key to be added to the CodeBuild machine. This is written to ~/.ssh/id_rsa.
JETS_SSH_KNOWN SSM:/#{ssm_env}/JETS_SSH_KNOWN The string to be added to CodeBuild ~/.ssh/known_hosts file. This can be generated from ssh-keyscan -H -t rsa This is required so that docker can connect via ssh. Otherwise, docker errors when trying to connect.

To protect the Docker host, you can use ssh. You also need to set JETS_SSH_KNOWN and JETS_SSH_KEY so Jets can create the necessary ~/.ssh/id_rsa and ~/.ssh/known_hosts on the remote runner.


Here’s an example


Jets.bootstrap.configure do
  config.codebuild.project.env.vars = {
    DOCKER_HOST: "ssh://",
    JETS_SSH_KEY: "SSM:/#{ssm_env}/JETS_SSH_KEY",



The JETS_SSH_KNOWN is a string added to ~/.ssh/known_hosts. You can think of it as:

ssh-keyscan -H -t rsa >> ~/.ssh/known_hosts

Jets does this using the environment variables.

The SSM: examples above use SSM reference values. This tells CodeBuild to grab the value from the SSM Parameter Store from your AWS account. This keeps secrets out of version control. The secret values are never pulled down to the client machine. Last, they are also obfuscated in the AWS CodeBuild logs.

Related: ServerFault: Securely add a host (e.g. GitHub) to the SSH known_hosts file

CodeBuild Cache Reuse

Note: Technically, if you start multiple CodeBuild runs close enough to each other, then AWS Codebuild uses the same machine, and the docker caches are reused. However, they must be close to each other for a minute or so. In practice, it’s rare to reuse the docker cache. Additionally, you can use CodeBuild fleets, but fleets have additional costs since they are always running.