Private ECR Repositories
If you are a self-hosted user, ReleaseHub automatically integrates with AWS Elastic Container Registry (ECR) and creates a private Docker image repository in your AWS account when you add an AWS integration.
The default ECR image repositories created by ReleaseHub are private and images are only accessible by your AWS account and by our AWS IAM user. However, you may wish to deploy images from a different ECR repository, or even from an entirely different AWS account, to nodes in your ReleaseHub environments.
In this guide, we'll add an ECR repository policy that allows ReleaseHub's IAM user to pull Docker images from a private ECR repository in a different AWS account.
Screenshot showing AWS IAM User ID and cluster region in ReleaseHub's Account Settings
Note down your ReleaseHub AWS IAM ID and your cluster's AWS region.
In the example below, we'll use two example AWS accounts,
111111111111as ReleaseHub's IAM user, and
222222222222as an external AWS account from which we'll pull an image.
This abridged application template shows how you could use an image from AWS ECR for one of your services in ReleaseHub:
- name: vendorapp
By looking at the example image URL, you might notice that the image belongs to the AWS IAM user
222222222222in the AWS region
111111111111permissions to pull images from
222222222222's ECR repository,
222222222222should add an ECR repository policy by following the steps below.
- 2.Navigate to Amazon Elastic Container Registry.
Screenshot showing AWS navigation for ECR
- 1.Click on Repositories in the sidebar.
- 2.Select the repository that contains the image you would like to use.
- 3.Click the Actions dropdown.
- 4.Click Permissions.
Screenshot showing how to navigate to permissions for an ECR repository
- 1.Click Edit policy JSON.
Screenshot showing edit policy JSON for an ECR repository
- 1.Paste the following JSON (change
111111111111to ReleaseHub's IAM user ID):
- 1.Click Save.
- 2.If AWS successfully validates your policy JSON, the permissions screen should look like this:
Screenshot showing AWS ECR permissions screen after adding an external IAM user
Now you can try to deploy your application again and ReleaseHub's IAM user should have the required permissions to pull the image.
As with any AWS IAM policy update, it is important to make sure you understand what a policy does before applying it to your resources. This means making sure that you apply the policy to the correct ECR repository, using the correct external IAM user ID, and allowing only the necessary actions.
For convenience, we've listed the Actions from our recommended policy, with links to relevant documentation: