diff --git a/.buildkite/fpm-pipeline.yml b/.buildkite/fpm-pipeline.yml
index 3c7da927..5bf07b7d 100644
--- a/.buildkite/fpm-pipeline.yml
+++ b/.buildkite/fpm-pipeline.yml
@@ -3,8 +3,7 @@
 env:
   SETUP_GVM_VERSION: "v0.5.1"
   IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204"
-  DOCKER_REGISTRY: "docker.elastic.co"
-  STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
+  STAGING_IMAGE: "docker.elastic.co/observability-ci"
   MAKEFILE: "fpm"
   CHANGESET_FILE: ".buildkite/scripts/changeset/fpm"
   DOCKER_FILTER_REF: "docker.elastic.co/beats-dev"
@@ -20,6 +19,9 @@ common:
         lifetime: 10800 # seconds
         project-id: "elastic-observability-ci"
         project-number: "911195782929"
+  - docker_elastic_login_plugin: &docker_elastic_login_plugin
+      elastic/vault-docker-login#v0.6.0:
+        secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
 
 steps:
   - label: ":linux: Build FPM / Ubuntu X86_64"
@@ -38,3 +40,4 @@ steps:
       image: "${IMAGE_UBUNTU_X86_64}"
     plugins:
       - *gcp_oidc_plugin
+      - *docker_elastic_login_plugin
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
index 7da4d218..5cc20619 100644
--- a/.buildkite/hooks/pre-command
+++ b/.buildkite/hooks/pre-command
@@ -4,17 +4,6 @@ set -euo pipefail
 
 source .buildkite/scripts/common.sh
 
-DOCKER_REGISTRY_SECRET_PATH="kv/ci-shared/platform-ingest/docker_registry_prod"
-
-# Secrets must be redacted
-# https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables
-
-if [[ ("$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" || "$BUILDKITE_PIPELINE_SLUG" == "llvm-apple"  || "$BUILDKITE_PIPELINE_SLUG" == "fpm") && ( "$BUILDKITE_STEP_KEY" == build* || "$BUILDKITE_STEP_KEY" == release* ) ]]; then
-    export DOCKER_USERNAME_SECRET=$(retry 5 vault kv get -field user "${DOCKER_REGISTRY_SECRET_PATH}")
-    export DOCKER_PASSWORD_SECRET=$(retry 5 vault kv get -field password "${DOCKER_REGISTRY_SECRET_PATH}")
-    docker login -u "${DOCKER_USERNAME_SECRET}" -p "${DOCKER_PASSWORD_SECRET}" "${DOCKER_REGISTRY}" 2>/dev/null
-fi
-
 if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && "$BUILDKITE_STEP_KEY" == "release-post" ]]; then
     GITHUB_USERNAME_SECRET="elasticmachine"
     export GITHUB_USERNAME_SECRET=$GITHUB_USERNAME_SECRET
diff --git a/.buildkite/hooks/pre-exit b/.buildkite/hooks/pre-exit
index 0f77bcf3..558e71b9 100644
--- a/.buildkite/hooks/pre-exit
+++ b/.buildkite/hooks/pre-exit
@@ -6,9 +6,5 @@ source .buildkite/scripts/common.sh
 
 unset_secrets
 
-if [[ ( "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" || "$BUILDKITE_PIPELINE_SLUG" == "llvm-apple" || "$BUILDKITE_PIPELINE_SLUG" == "fpm") && ( "$BUILDKITE_STEP_KEY" == build* ) ]]; then
-    docker logout "${DOCKER_REGISTRY}"
-fi
-
 # Ensure that any temporal files created during any step are removed
 cleanup
diff --git a/.buildkite/llvm-apple-pipeline.yml b/.buildkite/llvm-apple-pipeline.yml
index 8e05cd56..45d4a13c 100644
--- a/.buildkite/llvm-apple-pipeline.yml
+++ b/.buildkite/llvm-apple-pipeline.yml
@@ -4,8 +4,7 @@ env:
   SETUP_GVM_VERSION: "v0.5.1"
   IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204"
   IMAGE_UBUNTU_ARM_64: "core-ubuntu-2004-aarch64"
-  DOCKER_REGISTRY: "docker.elastic.co"
-  STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
+  STAGING_IMAGE: "docker.elastic.co/observability-ci"
   MAKEFILE: "go/llvm-apple"
   CHANGESET_FILE: ".buildkite/scripts/changeset/llvm-apple"
   DOCKER_FILTER_REF: "*/*/golang-crossbuild:llvm-apple*"
@@ -21,6 +20,9 @@ common:
         lifetime: 10800 # seconds
         project-id: "elastic-observability-ci"
         project-number: "911195782929"
+  - docker_elastic_login_plugin: &docker_elastic_login_plugin
+      elastic/vault-docker-login#v0.6.0:
+        secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
 
 steps:
   - label: ":linux: Build LLVM Apple / Ubuntu X86_64 - {{matrix.debianVersion}}"
@@ -41,6 +43,7 @@ steps:
       image: "${IMAGE_UBUNTU_X86_64}"
     plugins:
       - *gcp_oidc_plugin
+      - *docker_elastic_login_plugin
     matrix:
       setup:
         debianVersion:
@@ -67,6 +70,7 @@ steps:
       instanceType: "t4g.large"
     plugins:
       - *gcp_oidc_plugin
+      - *docker_elastic_login_plugin
     matrix:
       setup:
         debianVersion:
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 92872f7c..2d0dc31f 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -5,8 +5,7 @@ env:
   IMAGE_UBUNTU_X86_64: "family/platform-ingest-beats-ubuntu-2204"
   INSTANCE_TYPE_X86_64: "n2-standard-4"
   IMAGE_UBUNTU_ARM_64: "core-ubuntu-2004-aarch64"
-  DOCKER_REGISTRY: "docker.elastic.co"
-  STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
+  STAGING_IMAGE: "docker.elastic.co/observability-ci"
   BUILDX: 1
 
 # This section is used to define the plugins that will be used in the pipeline.
@@ -19,6 +18,9 @@ common:
         lifetime: 10800 # seconds
         project-id: "elastic-observability-ci"
         project-number: "911195782929"
+  - docker_elastic_login_plugin: &docker_elastic_login_plugin
+      elastic/vault-docker-login#v0.6.0:
+        secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
 
 steps:
 
@@ -110,6 +112,7 @@ steps:
           instanceType: "${INSTANCE_TYPE_X86_64}"
         plugins:
           - *gcp_oidc_plugin
+          - *docker_elastic_login_plugin
         retry:
           automatic:
             limit: 1
@@ -145,6 +148,7 @@ steps:
           instanceType: "t4g.large"
         plugins:
           - *gcp_oidc_plugin
+          - *docker_elastic_login_plugin
         retry:
           automatic:
             limit: 1
@@ -178,6 +182,7 @@ steps:
           instanceType: "${INSTANCE_TYPE_X86_64}"
         plugins:
           - *gcp_oidc_plugin
+          - *docker_elastic_login_plugin
         retry:
           automatic:
             limit: 1
@@ -213,6 +218,7 @@ steps:
           instanceType: "t4g.large"
         plugins:
           - *gcp_oidc_plugin
+          - *docker_elastic_login_plugin
         retry:
           automatic:
             limit: 1
diff --git a/.buildkite/scripts/build.sh b/.buildkite/scripts/build.sh
index 02a80e8f..34a11a9a 100755
--- a/.buildkite/scripts/build.sh
+++ b/.buildkite/scripts/build.sh
@@ -14,10 +14,8 @@ with_mage
 
 make -C go -f "${MAKEFILE}" build"${is_arm}" GS_BUCKET_PATH=golang-crossbuild-ci-internal
 
-echo "--- List Docker images staging"xd
+echo "--- List Docker images staging"
 docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${STAGING_IMAGE}/golang-crossbuild"
 
-echo ":: List Docker images production ::"
-docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${DOCKER_REGISTRY}/beats-dev/golang-crossbuild"
-
-
+echo "--- List Docker images production"
+docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="docker.elastic.co/beats-dev/golang-crossbuild"