LogoLogo
  • Welcome to Release
  • Getting started
    • Quickstart
    • Create an account
    • Prepare to use Release
    • Create an application
      • Create custom application
      • Create from template
      • Servers vs runnables
    • Create an environment
  • Guides and examples
    • Domains and DNS
      • Manage domains
      • DNS and nameservers
        • Configure GoDaddy
        • Configure Cloudflare
        • Configure Namecheap
        • Other DNS hosts
      • Routing traffic
    • Example applications
      • Full stack voting app
      • Flask and RDS counter app
      • Static site with Gatsby
      • Golang with Postgres and Nginx
      • WordPress with MySQL
      • Spring and PostgreSQL
      • Terraform and Flask
      • OpenTelemetry demo
      • Load balancer with hostname
      • Static JavaScript service
      • SSH bastion access to services
      • ngrok and OAuth for private tunnels
      • Using OAuth Proxy
      • Hybrid Docker and static site
      • App Imports: Connecting two applications
      • Example library
    • Running instances
      • Cron jobs
      • Jobs
      • Using Helm charts
      • Using terminal
      • Viewing logs
      • Troubleshooting
        • ImagePullBackoff error
        • CrashLoopBackoff error
        • Exit codes
        • OOM: out of memory
    • Advanced guides
      • Containers guide
      • Application guide
      • Kubernetes guide
      • Create a cluster
      • Upgrade a cluster
      • Managing node groups
      • Patch node groups
      • Hostnames and rules
      • Serve traffic on multiple ports
      • Configure access to your K8s cluster
      • Designing for multiple environments
      • Microservices architecture
      • Monitoring your clusters
      • Performance tuning
      • Visibility and monitoring
      • Working with data
        • Container-based data
        • Seeding and migration
        • Cloud-provided data
        • Golden images
        • Third party
      • Pausing Instant Datasets
        • Application pausing schedules
        • Pause/resume environments
      • Infrastructure as code
        • Terraform
  • Reference documentation
    • Account settings
      • Account info
      • Managing users
      • Build settings
        • Build arguments
        • Build SSH keys
      • Add integrations
      • View clusters and cloud integrations
      • Add datasets
      • Environment handles
    • Workflows in Release
      • Stages of workflows
      • Serial deployments
      • Parallel deployments
      • Rolling deployments
      • Rainbow deployments
    • Networking
      • Network architecture (AWS)
      • Network architecture (GCP)
      • Ingresses
      • IP addresses
      • Cloud-provided services
      • Third-party services
    • Release environment versioning
    • Application settings
      • Application Template
        • Schema definition
      • Default environment variables
      • GitHub
      • Pull requests
      • GitOps
      • Just-in-time file mounts
      • Primary App Link
      • Create application FAQ
      • App-level build arguments
      • Parameters
      • Workspaces
    • End-to-end testing
    • Environment settings
      • Environment configuration
      • Environment variables
        • Environment variable mappings
        • Secrets vaults
        • Using Secrets with GitOps
        • Kubernetes Secrets as environment variables
        • Managing legacy Release Secrets
    • Environment expiration
    • Environment presets
    • Instant datasets on AWS
    • Instant datasets on GCP
    • Instant dataset tasks
      • Tonic Cloud
      • Tonic On-Premise
    • Cloud resources
    • Static service deployment
    • Helm
      • Getting started
      • Version-controlled Helm charts
      • Open-source charts
      • Building Docker images
      • Ingress and networking
      • Configuration
    • GitOps
    • The .release.yaml file
    • Docker Compose conversion support
    • Reference examples
      • Adding and removing services
      • Managing service resources
      • Adding database containers to the Application Template
      • Stock Off-The-Shelf Examples
    • Release API
      • Account Authentication
      • Environments API
        • Create
        • Get
        • Setup
        • Patch
      • User Authentication
      • Environment Presets API
        • Get Environment Preset List
        • Get Environment Preset
        • Put Environment Preset
  • Background concepts
    • How Release works
  • Frequently asked questions
    • Release FAQ
    • AWS FAQ
    • Docker FAQ
    • JavaScript FAQ
  • Integrations
    • Integrations overview
      • Artifactory integration
      • Cloud integrations (AWS)
        • AWS guides
        • Grant access to AWS resources
        • AWS how to increase EIP quota
        • Control your EKS fleet with systems manager
        • Managing STS access
        • AWS Permissions Boundaries
        • Private ECR Repositories
        • Using an Existing AWS VPC
        • Using an Existing EKS Cluster
      • Docker Hub integration
      • LaunchDarkly integration
      • Private registries
      • Slack integration
      • Cloud integrations (GCP)
        • GCP Permissions Boundary
      • Datadog Agent
      • Doppler Secrets Manager
      • AWS Secrets Management
    • Source control integrations
      • GitHub
        • Pull request comments
        • Pull request labels
        • GitHub deployments
        • GitHub statuses
        • Remove GitHub integration
      • Bitbucket
      • GitLab
    • Monitoring and logging add-ons
      • Datadog
      • New Relic
      • ELK (Elasticsearch, Logstash, and Kibana)
  • Release Delivery
    • Create new customer integration
    • Delivery guide
    • Release to customer account access controls
    • Delivery FAQs
  • Release Instant Datasets
    • Introduction
    • Quickstart
    • Security
      • AWS Instant Dataset security
    • FAQ
    • API
  • CLI
    • Getting started
    • Installation
    • Configuration
    • CLI usage example
    • Remote development environments
    • Command reference
      • release accounts
        • release accounts list
        • release accounts select
      • release ai
        • release ai chat
        • release ai config-delete
        • release ai config-init
        • release ai config-select
        • release ai config-upsert
      • release apps
        • release apps list
        • release apps select
      • release auth
        • release auth login
        • release auth logout
      • release builds
        • release builds create
      • release clusters
        • release clusters exec
        • release clusters kubeconfig
        • release clusters shell
      • release datasets
        • release datasets list
        • release datasets refresh
      • release deploys
        • release deploys create
        • release deploys list
      • release development
        • release development logs
        • release development start
      • release environments
        • release environments config-get
        • release environments config-set
        • release environments create
        • release environments delete
        • release environments get
        • release environments list
        • release environments vars-get
      • release gitops
        • release gitops init
        • release gitops validate
      • release instances
        • release instances exec
        • release instances logs
        • release instances terminal
  • Release.ai
    • Release.ai Introduction
    • Getting Started
    • Release.ai Templates
    • Template Configuration Basics
    • Using GPU Resources
    • Custom Workflows
    • Fine Tuning LlamaX
    • Serving Inference
Powered by GitBook
On this page
  • How to find Release's AWS IAM ID and cluster region
  • How to use an image from a different ECR repository
  • How to grant Release's IAM user permissions to pull images from an external repository
  • How to configure Release's ECR private registry integration
  • Security considerations

Was this helpful?

  1. Integrations
  2. Integrations overview
  3. Cloud integrations (AWS)

Private ECR Repositories

PreviousAWS Permissions BoundariesNextUsing an Existing AWS VPC

Last updated 1 year ago

Was this helpful?

If you are a self-hosted user, Release automatically integrates with AWS Elastic Container Registry (ECR) and creates a private Docker image repository in your AWS account when you .

The default ECR image repositories created by Release are private and images are only accessible by your AWS account and by our AWS IAM user. However, you may wish to deploy images from a different ECR repository, or even from an entirely different AWS account, to nodes in your Release environments.

In this guide, we'll add an ECR repository policy that allows Release's IAM user to pull Docker images from a private ECR repository in a different AWS account.

How to find Release's AWS IAM ID and cluster region

First, you'll need to find Release's AWS IAM user ID and cluster region under .

Note down your Release AWS IAM ID and your cluster's AWS region.

In the example below, we'll use two example AWS accounts, 111111111111 as Release's IAM user, and 222222222222 as an external AWS account from which we'll pull an image.

How to use an image from a different ECR repository

This abridged application template shows how you could use an image from AWS ECR for one of your services in Release:

services:
- name: vendorapp
  image: 222222222222.dkr.ecr.eu-west-2.amazonaws.com/vendorapp:latest
  has_repo: false
  static: false

By looking at the example image URL, you might notice that the image belongs to the AWS IAM user 222222222222 in the AWS region eu-west-2.

How to grant Release's IAM user permissions to pull images from an external repository

To grant 111111111111 permissions to pull images from 222222222222's ECR repository, 222222222222 should add an ECR repository policy by following the steps below.

  1. Navigate to Amazon Elastic Container Registry.

  1. Click on Repositories in the sidebar.

  2. Select the repository that contains the image you would like to use.

  3. Click the Actions dropdown.

  4. Click Permissions.

  1. Click Edit policy JSON.

  1. Paste the following JSON (change 111111111111 to Release's IAM user ID):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReleasePull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages"
      ]
    }
  ]
}
  1. Click Save.

  2. If AWS successfully validates your policy JSON, the permissions screen should look like this:

Now you can try to deploy your application again and Release's IAM user should have the required permissions to pull the image.

How to configure Release's ECR private registry integration

To allow the private registry to be used as a FROM image in a Dockerfile built by Release, you'll also need to configure an ECR registry integration:

  1. Navigate to Account Settings > Integrations

  2. Click Setup under the AWS ECR private registry integration

  1. Enter the ECR private registry hostname (e.g. 222222222222.dkr.ecr.eu-west-2.amazonaws.com).

  2. Click Save.

Now you can try to build your image again the release builder should have the required permissions to pull the base image.

Security considerations

As with any AWS IAM policy update, it is important to make sure you understand what a policy does before applying it to your resources. This means making sure that you apply the policy to the correct ECR repository, using the correct external IAM user ID, and allowing only the necessary actions.

For convenience, we've listed the Actions from our recommended policy, with links to relevant documentation:

For cross-account ECR access to work, the ECR repository must be in the same AWS region as your Release cluster. If your image repository is in a different region, you can use in ECR to copy images from one AWS region to another.

using IAM ID 222222222222.

Choose the same cloud integration used in the .

- Checks the availability of one or more image layers in a repository.

- Gets detailed information for an image.

- Returns metadata about the images in a repository.

- Describes image repositories in a registry.

- Retrieves an authorization token.

- Retrieves the pre-signed Amazon S3 download URL corresponding to an image layer.

- Retrieves the repository policy for the specified repository.

- Lists all the image IDs for the specified repository.

We also recommend reading the AWS documentation about .

image replication
Log in to AWS
BatchCheckLayerAvailability
BatchGetImage
DescribeImages
DescribeRepositories
GetAuthorizationToken
GetDownloadUrlForLayer
GetRepositoryPolicy
ListImage
Private repository policies
policy above
add an AWS integration
Account Settings > Clusters
Screenshot showing AWS IAM User ID and cluster region in Release's Account Settings
Screenshot showing AWS navigation for ECR
Screenshot showing how to navigate to permissions for an ECR repository
Screenshot showing edit policy JSON for an ECR repository
Screenshot showing AWS ECR permissions screen after adding an external IAM user
Screenshot showing AWS ECR registry integration setup
Screenshot showing completed AWS ECR registry integration form