This is an extract from an image build script I have, showing how I handle docker creds expiration

docker-ecr-login.sh

#!/usr/bin/env bash
set -euo pipefail
progname="$(basename "$0" .sh)"
note() { printf >&2 '%s: %s\n' "$progname" "$*"; }
# ...

# This bit happens _after_ the build, before the push, so that the time remaining in credentials doesn't need to
# account for build duration
readonly aws_ecr='public.ecr.aws'

# [there is a conditional here, not germane to the example, thus the indent]

    # This is an assumption that we're on GNU/Linux with the keyring tools installed, and then
    # ~/.docker/config.json having "credsStore": "secretservice"
    # With other setups, this will need to find the current credentials another way.
    exp_time="$(secret-tool lookup docker_cli 1 server "$aws_ecr" | base64 -d | jq -r .expiration)" || true
    need_login=false
    if [[ -z "$exp_time" ]]; then
      note "No docker credentials for server $aws_ecr"
      need_login=true
    elif (( EPOCHSECONDS + 600 > exp_time )); then
      if (( EPOCHSECONDS > exp_time )); then
        note "Docker credentials EXPIRED for server $aws_ecr"
      else
        note "Docker credentials EXPIRING SOON for server $aws_ecr"
      fi
      # 10 minutes remaining lifetime seems reasonable, we've already built.
      need_login=true
    fi
    if "$need_login"; then
      note "Invoking aws|docker login chain"
      # ECR login is _always_ us-east-1
      aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$aws_ecr"
    else
      # BEWARE: assumption of GNU date(1), this doesn't handle BSD date(1)
      note "Docker credentials for $aws_ecr seem fine [expire: $(date -d "@$exp_time" --iso-8601=seconds)]"
    fi