Private Registries are restricted to organization projects
Private Docker registries are available only to projects that are owned by an organization or team. Personal projects don’t have access to private repositories.
Option 1: Create an IAM User with permissions to your ECR
- Login to your AWS Management Console
- Create a new User with Programmatic access
- Create a new policy valohai-ecr-policy with the below JSON
Replace the placeholders with the right region, account ID, and registry name.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Action": [
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy"
],
"Resource": "arn:aws:ecr:<REGION>:<ACCOUNT_ID>:repository/<REPOSITORY>"
},
{
"Sid": "1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
Option 2: Use Instance Role
Instead of creating a separate IAM User that can access the ECR, you can add the the permissions for the ValohaiWorkerRole by updating the ValohaiWorkerPolicy.
If you need to restrict the access to the repository to only certain environments, you will need to create a separate IAM role. Contact Valohai support (support@valohai.com) for more information.
Add credentials to Valohai
- Navigate to
Hi, <name>
(the top right menu) >Manage <organization>
- Go to Registries under the organization controls
- Add a new entry
- Insert the match pattern in the format of
<domain>/<owner-and-or-repository>/*
e.g.<aws-account-id>.dkr.ecr.<region>.amazonaws.com/*
or<aws-account-id>.dkr.ecr.<region>.amazonaws.com/my-repository/*
- Choose your registry type and provide the access credentials generated in the first step. If you’re using Option 2 it is enough to provide the name of the instance role and the region.
- Use the full name of the tagged image (e.g.
<aws-account-id>.dkr.ecr.<region>.amazonaws.com/my-repository/myimage:0.1
) when defining the image in yourvalohai.yaml