# AWS ECR

Configure Valohai to pull private images from AWS Elastic Container Registry.

> Private registries are restricted to organization projects. Personal projects don't have access to private repositories.

## Authentication options

Choose one:

1. **IAM User** (recommended for multi-cloud setups)
2. **Instance Role** (recommended for AWS-only deployments)

***

## Option 1: IAM User with ECR permissions

### Create the IAM user

1. Log in to your AWS Management Console
2. Create a new User with **Programmatic access**
3. Create a policy named `valohai-ecr-policy` with the JSON below

Replace `<REGION>`, `<ACCOUNT_ID>`, and `<REPOSITORY>` with your values:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadECRRepository",
      "Effect": "Allow",
      "Action": [
        "ecr:DescribeImageScanFindings",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:ListTagsForResource",
        "ecr:ListImages",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetRepositoryPolicy",
        "ecr:GetLifecyclePolicy"
      ],
      "Resource": "arn:aws:ecr:<REGION>:<ACCOUNT_ID>:repository/<REPOSITORY>"
    },
    {
      "Sid": "GetECRAuthToken",
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    }
  ]
}
```

4. Attach the policy to your new IAM user
5. Save the **Access Key ID** and **Secret Access Key**

### Add credentials to Valohai

1. Navigate to `Hi, <name>` (top-right menu) → `Manage <organization>`
2. Go to **Registries** under organization controls
3. Click **Add a new entry**
4. Configure:
   * **Match pattern**: `<account-id>.dkr.ecr.<region>.amazonaws.com/*`
     * Example: `123456789012.dkr.ecr.us-east-1.amazonaws.com/*`
     * Or narrow it: `123456789012.dkr.ecr.us-east-1.amazonaws.com/my-repo/*`
   * **Registry type**: AWS ECR (IAM credentials)
   * **Access Key ID**: Your IAM user's access key
   * **Secret Access Key**: Your IAM user's secret key
   * **Region**: Your ECR region (e.g., `us-east-1`)
5. Save

***

## Option 2: Instance Role

Instead of creating a separate IAM user, attach ECR permissions directly to your worker role.

### Update the worker role

Add the same policy from Option 1 to your `ValohaiWorkerRole` (or equivalent worker IAM role).

If you need to restrict access to specific environments, create a dedicated role and contact Valohai support (`support@valohai.com`) for configuration.

### Add credentials to Valohai

1. Navigate to `Hi, <name>` (top-right menu) → `Manage <organization>`
2. Go to **Registries** under organization controls
3. Click **Add a new entry**
4. Configure:
   * **Match pattern**: `<account-id>.dkr.ecr.<region>.amazonaws.com/*`
   * **Registry type**: AWS ECR (Instance Role)
   * **Role name**: Name of your worker IAM role (e.g., `ValohaiWorkerRole`)
   * **Region**: Your ECR region
5. Save

***

## Use the private image

Reference your ECR image in `valohai.yaml`:

```yaml
- step:
    name: train
    image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-ml-image:v1.0
    command:
      - python train.py
```

Valohai handles authentication automatically.