diff --git a/util/resolver/resolver.go b/util/resolver/resolver.go
index 1eb3785393e0e..51d6caa8f5096 100644
--- a/util/resolver/resolver.go
+++ b/util/resolver/resolver.go
@@ -150,20 +150,41 @@ func NewRegistryConfig(m map[string]config.RegistryConfig) docker.RegistryHosts
 }
 
 type SessionAuthenticator struct {
-	sm *session.Manager
-	g  session.Group
-	mu sync.Mutex
+	sm    *session.Manager
+	g     session.Group
+	mu    sync.Mutex
+	cache map[string]credentials
+}
+
+type credentials struct {
+	user   string
+	secret string
 }
 
 func NewSessionAuthenticator(sm *session.Manager, g session.Group) *SessionAuthenticator {
-	return &SessionAuthenticator{sm: sm, g: g}
+	return &SessionAuthenticator{sm: sm, g: g, cache: map[string]credentials{}}
 }
 
 func (a *SessionAuthenticator) credentials(h string) (string, string, error) {
 	a.mu.Lock()
+	c, ok := a.cache[h]
+	if ok {
+		a.mu.Unlock()
+		return c.user, c.secret, nil
+	}
 	g := a.g
 	a.mu.Unlock()
-	return auth.CredentialsFunc(a.sm, g)(h)
+	u, s, err := auth.CredentialsFunc(a.sm, g)(h)
+	if err != nil {
+		return "", "", err
+	}
+	a.mu.Lock()
+	a.cache[h] = credentials{
+		user:   u,
+		secret: s,
+	}
+	a.mu.Unlock()
+	return u, s, nil
 }
 
 func (a *SessionAuthenticator) SetSession(g session.Group) {