# Private Docker Registries

Valohai supports pulling images from private Docker registries. Once configured, your organization's projects can use private images just like public ones.

## Supported registries

Valohai supports authentication with:

* [AWS Elastic Container Registry (ECR)](https://docs.valohai.com/docker-in-valohai/private-docker-registries/aws-ecr)
* [Docker Hub](https://docs.valohai.com/docker-in-valohai/private-docker-registries/docker-hub)
* [Google Cloud Artifact Registry](https://docs.valohai.com/docker-in-valohai/private-docker-registries/gcp)
* [Azure Container Registry](https://docs.valohai.com/docker-in-valohai/private-docker-registries/acr)
* [JFrog Artifactory](https://docs.valohai.com/docker-in-valohai/private-docker-registries/jfrog)
* Any registry using standard Docker authentication

## How it works

1. **Organization admins** configure registry credentials in Valohai
2. **Match patterns** determine which images use which credentials
3. **All projects** in your organization can pull matching private images
4. **Workers** automatically authenticate when pulling images

## Who can configure registries?

Only **organization admins** can add and manage private registry credentials.

Personal projects cannot access organization-level private registries. If you need private images, make sure your project is owned by an organization.

## Setup process

Each registry type has specific authentication requirements:

* **AWS ECR**: IAM user or instance role
* **Docker Hub**: Access token (not password)
* **GCP Artifact Registry**: Service account with Reader role
* **Azure Container Registry**: Service principal
* **JFrog**: Access token

Follow the guide for your registry to get started.

## Using private images

After configuration, reference private images in your `valohai.yaml` using their full name:

```yaml
- step:
    name: train-model
    image: myregistry.azurecr.io/ml-training:v2.0
    command:
      - python train.py
```

No changes to your code needed, Valohai handles authentication automatically.

## Troubleshooting image pulls

### Error: "unauthorized" or "access denied"

**Check:**

1. Registry credentials are correctly configured in organization settings
2. Match pattern covers your image (e.g., `myregistry.azurecr.io/*`)
3. Project is owned by an organization (personal projects can't access private registries)
4. Credentials have read permissions for the repository

### Image pull takes too long or times out

If pulls are consistently slow:

* Your registry might be rate-limiting requests
* Network connectivity between workers and registry might be constrained
* Consider setting up a [pull-through cache](https://docs.valohai.com/image-best-practices#speed-up-image-downloads-with-a-pull-through-cache)

### Need to verify which image was used?

Check the execution logs. Valohai logs the full image name and digest when pulling:

```
Pulling image: myregistry.azurecr.io/ml-training:v2.0
Image digest: sha256:abc123...
```