Private Docker Registries

Valohai supports pulling images from private Docker registries. Once configured, your organization's projects can use private images just like public ones.

Supported registries

Valohai supports authentication with:

AWS Elastic Container Registry (ECR)
Docker Hub
Google Cloud Artifact Registry
Azure Container Registry
JFrog Artifactory
Any registry using standard Docker authentication

How it works

Organization admins configure registry credentials in Valohai
Match patterns determine which images use which credentials
All projects in your organization can pull matching private images
Workers automatically authenticate when pulling images

Who can configure registries?

Only organization admins can add and manage private registry credentials.

Personal projects cannot access organization-level private registries. If you need private images, make sure your project is owned by an organization.

Setup process

Each registry type has specific authentication requirements:

AWS ECR: IAM user or instance role
Docker Hub: Access token (not password)
GCP Artifact Registry: Service account with Reader role
Azure Container Registry: Service principal
JFrog: Access token

Follow the guide for your registry to get started.

Using private images

After configuration, reference private images in your valohai.yaml using their full name:

- step:
    name: train-model
    image: myregistry.azurecr.io/ml-training:v2.0
    command:
      - python train.py

No changes to your code needed, Valohai handles authentication automatically.

Troubleshooting image pulls

Error: "unauthorized" or "access denied"

Check:

Registry credentials are correctly configured in organization settings
Match pattern covers your image (e.g., myregistry.azurecr.io/*)
Project is owned by an organization (personal projects can't access private registries)
Credentials have read permissions for the repository

Image pull takes too long or times out

If pulls are consistently slow:

Your registry might be rate-limiting requests
Network connectivity between workers and registry might be constrained
Consider setting up a pull-through cache

Need to verify which image was used?

Check the execution logs. Valohai logs the full image name and digest when pulling:

Pulling image: myregistry.azurecr.io/ml-training:v2.0
Image digest: sha256:abc123...

PreviousImage Best Practices NextAWS ECR

Last updated 1 month ago

Was this helpful?

hashtagSupported registries

hashtagHow it works

hashtagWho can configure registries?

hashtagSetup process

hashtagUsing private images

hashtagTroubleshooting image pulls

hashtagError: "unauthorized" or "access denied"

hashtagImage pull takes too long or times out

hashtagNeed to verify which image was used?