docs: Add tutorial for using private AWS ECR images#639
docs: Add tutorial for using private AWS ECR images#639promptless[bot] wants to merge 4 commits into
Conversation
Documents cross-account IAM delegation that allows Runpod to pull images from private AWS ECR repositories without managing credentials directly.
![promptless[bot]](https://avatars.githubusercontent.com/in/979718?s=60&v=4){kind=small}
| ], | ||
| "Condition": { | ||
| "StringEquals": { | ||
| "aws:PrincipalArn": "arn:aws:iam::418399314813:role/prod-us-east-1-deployment-role" |
There was a problem hiding this comment.
IAM policy details including the aws:PrincipalArn condition for Runpod's deployment role (418399314813) and the required ECR permissions (ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability, ecr:GetDownloadUrlForLayer, ecr:BatchGetImage) were provided in engineering comments by page.kelly@runpod.io on this Linear issue.
Source: https://linear.app/runpod/issue/CE-1305/tutorial-or-documentation-for-ecr-delegation
There was a problem hiding this comment.
Note: I wrote this example with the wrong AWS account number, the prod account is 550005742258 and this should be reflected in the tutorial. Other than that this is all correct
There was a problem hiding this comment.
@Promptless arn to be changed as "550005742258" from "418399314813"
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
| ], | ||
| "Condition": { | ||
| "StringEquals": { | ||
| "aws:PrincipalArn": "arn:aws:iam::418399314813:role/prod-us-east-1-deployment-role" |
There was a problem hiding this comment.
Note: I wrote this example with the wrong AWS account number, the prod account is 550005742258 and this should be reflected in the tutorial. Other than that this is all correct
| ], | ||
| "Condition": { | ||
| "StringEquals": { | ||
| "aws:PrincipalArn": "arn:aws:iam::418399314813:role/prod-us-east-1-deployment-role" |
There was a problem hiding this comment.
Same note here, revise prod AWS account number to 550005742258
| 2. Scroll down to **Container Registry Authentication** and click **Add Credential**. | ||
| 3. Select **AWS ECR** as the registry type. | ||
| 4. Enter a **Name** for this credential (for example, `my-ecr-repo`). | ||
| 5. Enter the **ECR Image URI** in the format `ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/REPOSITORY_NAME`. |
There was a problem hiding this comment.
This format is mostly correct, but the URI format for the image name will include both the repository name and a tag, separated by a colon ( e.g. repository:latest )
It's worth noting that the ECR page for a repository has a button for copying the URI directly, which will follow this format
|
|
||
| 1. Navigate to [Pods](https://www.runpod.io/console/pods) and select **Deploy**. | ||
| 2. Choose your GPU configuration. | ||
| 3. Under **Container Image**, enter your full ECR image URI (for example, `123456789012.dkr.ecr.us-east-2.amazonaws.com/my-app:latest`). |
There was a problem hiding this comment.
For example, this image URI is correctly formatted
|
Just a reminder: If you'd like me to act on any feedback you have via Github comments, just type @Promptless in your suggestion and I'll get right on it! (I won't show up in the user dropdown, but I'll process any request that has @Promptless in the comment body.) |
Add Step 1 for pushing images to ECR with AWS CLI setup, repository creation, and Docker commands. Enhance notes explaining Runpod's IAM role ARN. Add troubleshooting section for common issues. Include template-based deployment option alongside direct deployment.
Changed the AWS account ID from 418399314813 to 550005742258 in the IAM policy examples per reviewer feedback.
|
Updated the AWS account ID from |
runpod-ebooks
left a comment
runpod-ebooks
left a comment
There was a problem hiding this comment.
Seems good to me, only one note and it's minor
| 2. Scroll down to **Container Registry Authentication** and click **Add Credential**. | ||
| 3. Select **AWS ECR** as the registry type. | ||
| 4. Enter a **Name** for this credential (for example, `my-ecr-repo`). | ||
| 5. Enter the **ECR Image URI** in the format `ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/REPOSITORY_NAME`. Runpod also accepts the full ARN format. |
There was a problem hiding this comment.
My only note here is that you do need the tag name to store a delegation, though I suppose since the permission is repository-wide we could relax that requirement later
| 2. Scroll down to **Container Registry Authentication** and click **Add Credential**. | ||
| 3. Select **AWS ECR** as the registry type. | ||
| 4. Enter a **Name** for this credential (for example, `my-ecr-repo`). | ||
| 5. Enter the **ECR Image URI** in the format `ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/REPOSITORY_NAME`. Runpod also accepts the full ARN format. |
There was a problem hiding this comment.
@Promptless change it to Enter the ECR Image URI in the format ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/REPOSITORY_NAME:TAG : you must include the tag (for example, :latest or :v1.0.0). Runpod requires the tag to store the delegation.
Addresses reviewer feedback: explicitly state that the tag is required for ECR Image URI format and that Runpod requires it to store the delegation.
|
Thanks for the feedback, @lavanya-gunreddi! I've updated the ECR Image URI format to include the tag requirement:
The change has been pushed to this PR. |
2 participants
Open this suggestion in Promptless to view citations and reasoning process
Documents how to deploy Pods using container images from private AWS ECR repositories via cross-account IAM delegation. Covers configuring ECR repository policies, adding ECR credentials in Runpod, and deploying Pods with private images.
Trigger Events
Tip: Worried about broken links? Ask Promptless to find and fix them automatically 🔗