Skip to main content

Accessing Amazon ECR

In this section we will configure Amazon Elastic Container Registry access for Anyscale clusters. This is useful if you want to launch nodes with custom images stored in a private registry. At a high level, this consists of two steps:

  1. The IAM Role used by Anyscale nodes need the correct policies to read from ECR.
  2. The repository in ECR should grant access to the given IAM Role. This is necessary if ECR is hosted in a different account than the account backing your EC2 instances.

Step 1. Attach AmazonEC2ContainerRegistryReadOnly to <cloud-id>-cluster_node_role role

info

This guide assumes that Anyscale nodes are launched into your account with the <cloud-id>-cluster_node_role role. If your nodes are being launched with ray-autoscaler-v1, or if you are using a custom AWS IAM role then you can apply the same steps to that role instead to grant ECR access.

  1. Search for the <cloud-id>-cluster_node_role role on the AWS IAM page and select it.
  1. Look in the "Permissions policies" section of your Role. If it has AmazonEC2ContainerRegistryReadOnly, you are done! If not, continue to set up the correct policies.
  1. Click “Add Permissions” and select “Attach policies”
  1. Search for AmazonEC2ContainerRegistryReadOnly and select the policy.
  1. Click "Attach policies"

Step 2. Grant <cloud-id>-cluster_node_role access to your private ECR repository

info

This guide assumes that Anyscale nodes are launched into your account with the <cloud-id>-cluster_node_role role. If your nodes are being launched with ray-autoscaler-v1, or if you are using a custom AWS IAM role then you can apply the same steps to that role instead to grant ECR access.

This step is only necessary if the private ECR repository is hosted in a different account than the account backing your EC2 instances. If your instances are in the same account, then you should only need to complete the previous section.

  1. Search for the <cloud-id>-cluster_node_role role on the AWS IAM page and select it.
  1. Find and copy the ARN.
  1. Search for the private repo that you want to grant access to on the AWS ECR page and select it.
  1. Navigate to the Permissions section.
  1. Select "Edit JSON Policy".
  1. Replace the <cloud-id>-cluster_node_role ARN with the one from step 2, and save the following policy.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<REPLACE_WITH_ARN>"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeImageScanFindings",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages",
        "ecr:ListTagsForResource"
      ]
    }
  ]
}

Once this step is completed, nodes launched by Anyscale should have access to your private registry.