Comment on page

Private ECR Repositories

If you are a self-hosted user, Release automatically integrates with AWS Elastic Container Registry (ECR) and creates a private Docker image repository in your AWS account when you add an AWS integration.
The default ECR image repositories created by Release are private and images are only accessible by your AWS account and by our AWS IAM user. However, you may wish to deploy images from a different ECR repository, or even from an entirely different AWS account, to nodes in your Release environments.
In this guide, we'll add an ECR repository policy that allows Release's IAM user to pull Docker images from a private ECR repository in a different AWS account.
How to find Release's AWS IAM ID and cluster region
First, you'll need to find Release's AWS IAM user ID and cluster region under Account Settings > Clusters.
Screenshot showing AWS IAM User ID and cluster region in Release's Account Settings
Note down your Release AWS IAM ID and your cluster's AWS region.
In the example below, we'll use two example AWS accounts, 111111111111 as Release's IAM user, and 222222222222 as an external AWS account from which we'll pull an image.
How to use an image from a different ECR repository
This abridged application template shows how you could use an image from AWS ECR for one of your services in Release:
services:
- name: vendorapp
  image: 222222222222.dkr.ecr.eu-west-2.amazonaws.com/vendorapp:latest
  has_repo: false
  static: false
By looking at the example image URL, you might notice that the image belongs to the AWS IAM user 222222222222 in the AWS region eu-west-2.
For cross-account ECR access to work, the ECR repository must be in the same AWS region as your Release cluster. If your image repository is in a different region, you can use image replication in ECR to copy images from one AWS region to another.
How to grant Release's IAM user permissions to pull images from an external repository
To grant 111111111111 permissions to pull images from 222222222222's ECR repository, 222222222222 should add an ECR repository policy by following the steps below.
1.​Log in to AWS using IAM ID 222222222222.
2.Navigate to Amazon Elastic Container Registry.
Screenshot showing AWS navigation for ECR
1.Click on Repositories in the sidebar.
2.Select the repository that contains the image you would like to use.
3.Click the Actions dropdown.
4.Click Permissions.
Screenshot showing how to navigate to permissions for an ECR repository
1.Click Edit policy JSON.
Screenshot showing edit policy JSON for an ECR repository
1.Paste the following JSON (change 111111111111 to Release's IAM user ID):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReleasePull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages"
      ]
    }
  ]
}
1.Click Save.
2.If AWS successfully validates your policy JSON, the permissions screen should look like this:
Screenshot showing AWS ECR permissions screen after adding an external IAM user
Now you can try to deploy your application again and Release's IAM user should have the required permissions to pull the image.
How to configure Release's ECR private registry integration
To allow the private registry to be used as a FROM image in a Dockerfile built by Release, you'll also need to configure an ECR registry integration:
1.Navigate to Account Settings > Integrations
2.Click Setup under the AWS ECR private registry integration
Screenshot showing AWS ECR registry integration setup
3.Enter the ECR private registry hostname (e.g. 222222222222.dkr.ecr.eu-west-2.amazonaws.com).
4.Choose the same cloud integration used in the policy above.
5.Click Save.
Screenshot showing completed AWS ECR registry integration form
Now you can try to build your image again the release builder should have the required permissions to pull the base image.
Security considerations
As with any AWS IAM policy update, it is important to make sure you understand what a policy does before applying it to your resources. This means making sure that you apply the policy to the correct ECR repository, using the correct external IAM user ID, and allowing only the necessary actions.
For convenience, we've listed the Actions from our recommended policy, with links to relevant documentation:
​BatchCheckLayerAvailability - Checks the availability of one or more image layers in a repository.
​BatchGetImage - Gets detailed information for an image.
​DescribeImages - Returns metadata about the images in a repository.
​DescribeRepositories - Describes image repositories in a registry.
​GetAuthorizationToken - Retrieves an authorization token.
​GetDownloadUrlForLayer - Retrieves the pre-signed Amazon S3 download URL corresponding to an image layer.
​GetRepositoryPolicy - Retrieves the repository policy for the specified repository.
​ListImage - Lists all the image IDs for the specified repository.
We also recommend reading the AWS documentation about Private repository policies.

Permissions boundaries

Using an Existing AWS VPC

Last modified 3mo ago