diff --git a/lib/datasource/docker/common.ts b/lib/datasource/docker/common.ts
index 3b101a6a254c6f1f4a3666709a4b9b3b9e31dc3d..9b9288ad5650b2f7a2f5125105b82c45e0ad2f73 100644
--- a/lib/datasource/docker/common.ts
+++ b/lib/datasource/docker/common.ts
@@ -33,8 +33,10 @@ async function getECRAuthToken(
     config.credentials = {
       accessKeyId: opts.username,
       secretAccessKey: opts.password,
+      ...(opts.token && { sessionToken: opts.token }),
     };
   }
+
   const ecr = new ECR(config);
   try {
     const data = await ecr.getAuthorizationToken({});
diff --git a/lib/datasource/docker/index.spec.ts b/lib/datasource/docker/index.spec.ts
index 5db28b35826b75ec9c65995afceeeb7c51fb488d..e223c2bd5f34856c538947ee33b7242fdc857e0f 100644
--- a/lib/datasource/docker/index.spec.ts
+++ b/lib/datasource/docker/index.spec.ts
@@ -201,11 +201,12 @@ describe('datasource/docker/index', () => {
         .reply(401, '', {
           'www-authenticate': 'Basic realm="My Private Docker Registry Server"',
         })
-        .head('/library/some-dep/manifests/some-tag', undefined, {
-          reqheaders: {
-            authorization: 'Basic c29tZS11c2VybmFtZTpzb21lLXBhc3N3b3Jk',
-          },
-        })
+
+        .head('/library/some-dep/manifests/some-tag')
+        .matchHeader(
+          'authorization',
+          'Basic c29tZS11c2VybmFtZTpzb21lLXBhc3N3b3Jk'
+        )
         .reply(200, '', { 'docker-content-digest': 'some-digest' });
       const res = await getDigest(
         { datasource: 'docker', depName: 'some-dep' },
@@ -237,11 +238,48 @@ describe('datasource/docker/index', () => {
         .reply(401, '', {
           'www-authenticate': 'Basic realm="My Private Docker Registry Server"',
         })
-        .head('/node/manifests/some-tag', undefined, {
-          reqheaders: { authorization: 'Basic abc' },
+        .head('/node/manifests/some-tag')
+        .matchHeader('authorization', 'Basic test_token')
+        .reply(200, '', { 'docker-content-digest': 'some-digest' });
+
+      mockEcrAuthResolve({
+        authorizationData: [{ authorizationToken: 'test_token' }],
+      });
+
+      await getDigest(
+        {
+          datasource: 'docker',
+          depName: '123456789.dkr.ecr.us-east-1.amazonaws.com/node',
+        },
+        'some-tag'
+      );
+
+      expect(AWS.ECR).toHaveBeenCalledWith({
+        credentials: {
+          accessKeyId: 'some-username',
+          secretAccessKey: 'some-password',
+        },
+        region: 'us-east-1',
+      });
+    });
+
+    it('passes session token to ECR client', async () => {
+      httpMock
+        .scope(amazonUrl)
+        .get('/')
+        .reply(401, '', {
+          'www-authenticate': 'Basic realm="My Private Docker Registry Server"',
         })
+        .head('/node/manifests/some-tag')
+        .matchHeader('authorization', 'Basic test_token')
         .reply(200, '', { 'docker-content-digest': 'some-digest' });
 
+      hostRules.find.mockReturnValue({
+        username: 'some-username',
+        password: 'some-password',
+        token: 'some-session-token',
+      });
+
       mockEcrAuthResolve({
         authorizationData: [{ authorizationToken: 'test_token' }],
       });
@@ -258,6 +296,7 @@ describe('datasource/docker/index', () => {
         credentials: {
           accessKeyId: 'some-username',
           secretAccessKey: 'some-password',
+          sessionToken: 'some-session-token',
         },
         region: 'us-east-1',
       });
@@ -270,9 +309,8 @@ describe('datasource/docker/index', () => {
         .reply(401, '', {
           'www-authenticate': 'Basic realm="My Private Docker Registry Server"',
         })
-        .head('/node/manifests/some-tag', undefined, {
-          reqheaders: { authorization: 'Basic abc' },
-        })
+        .head('/node/manifests/some-tag')
+        .matchHeader('authorization', 'Basic test')
         .reply(200, '', { 'docker-content-digest': 'some-digest' });
 
       mockEcrAuthResolve({