Accessing Amazon ECR
In this section we will configure Amazon Elastic Container Registry access for Anyscale clusters. This is useful if you want to launch Clusters with custom images stored in a private registry. This consists of two steps:
- The IAM Role used by Anyscale Clusters need the correct policies to read from ECR.
- The repository in ECR must grant access to the given IAM Role.
Attach AmazonEC2ContainerRegistryReadOnly to the Cluster Node Role
Refer to Manage IAM Roles to determine the name of the IAM Role that Anyscale Clusters are assigned.
- Look in the Permissions policies section of your Role. If the role is assigned AmazonEC2ContainerRegistryReadOnly, no further action is required. If it does not, continue to set up the correct policies.
- Click Add Permissions and select Attach policies.
- Search for AmazonEC2ContainerRegistryReadOnly and select the policy.
- Click Attach policies.
Grant the Cluster Node Role access to a private ECR repository
- Search for the Cluster Node Role on the AWS IAM page and select it.
- Find and copy the ARN.
- Search for the private repo that you want to grant access to on the AWS ECR page and select it.
- Navigate to the Permissions section.
- Select Edit JSON Policy.
- Add the Role ARN from step 2 into the
<REPLACE_WITH_ARN>field in the JSON below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": {
"AWS": "<REPLACE_WITH_ARN>"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
]
}
]
}
Once this step is completed, nodes launched by Anyscale should have access to your private registry.