diff --git a/main.tf b/main.tf
index 18d30c4..31b737b 100644
--- a/main.tf
+++ b/main.tf
@@ -26,6 +26,13 @@ resource "aws_iam_role_policy" "task_execution" {
   policy = "${data.aws_iam_policy_document.task_execution_permissions.json}"
 }
 
+resource "aws_iam_role_policy" "read_repository_credentials" {
+  count  = "${length(var.repository_credentials) != 0 ? 1 : 0}"
+  name   = "${var.name_prefix}-read-repository-credentials"
+  role   = "${aws_iam_role.execution.id}"
+  policy = "${data.aws_iam_policy_document.read_repository_credentials.json}"
+}
+
 # ------------------------------------------------------------------------------
 # IAM - Task role, basic. Users of the module will append policies to this role
 # when they use the module. S3, Dynamo permissions etc etc.
@@ -106,6 +113,7 @@ resource "aws_ecs_task_definition" "task" {
 [{
     "name": "${var.name_prefix}",
     "image": "${var.task_container_image}",
+    ${local.repository_credentials_rendered}
     "essential": true,
     "portMappings": [
         {
diff --git a/policies.tf b/policies.tf
index cc4afda..3c65ee1 100644
--- a/policies.tf
+++ b/policies.tf
@@ -46,3 +46,23 @@ data "aws_iam_policy_document" "task_execution_permissions" {
     ]
   }
 }
+
+data "aws_kms_key" "secretsmanager_key" {
+  key_id = "${var.repository_credentials_kms_key}"
+}
+
+data "aws_iam_policy_document" "read_repository_credentials" {
+  statement {
+    effect = "Allow"
+
+    resources = [
+      "${var.repository_credentials}",
+      "${data.aws_kms_key.secretsmanager_key.arn}",
+    ]
+
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "kms:Decrypt",
+    ]
+  }
+}
diff --git a/variables.tf b/variables.tf
index bc5ec5b..5adec0d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -106,3 +106,26 @@ variable "deployment_controller_type" {
   type        = "string"
   description = "Type of deployment controller. Valid values: CODE_DEPLOY, ECS."
 }
+
+# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html
+variable "repository_credentials" {
+  default     = ""
+  description = "name or ARN of a secrets manager secret (arn:aws:secretsmanager:region:aws_account_id:secret:secret_name)"
+}
+
+variable "repository_credentials_kms_key" {
+  default     = "alias/aws/secretsmanager"
+  description = "key id, key ARN, alias name or alias ARN of the key that encrypted the repository credentials"
+}
+
+locals {
+  # if the variable is set, create the fragment based on the variable value
+  # if not, just return a empty string to not mess up the json
+  repository_credentials_fragment = <<EOF
+        "repositoryCredentials": {
+            "credentialsParameter": "${var.repository_credentials}"
+        },
+EOF
+
+  repository_credentials_rendered = "${var.repository_credentials == "" ? "" : local.repository_credentials_fragment}"
+}