LogoLogo
Bonsai (0.13) DocsGitHubDiscord CommunityGarden Enterprise
Acorn (0.12)
Acorn (0.12)
  • Welcome!
  • 🌳Basics
    • How Garden Works
    • Quickstart Guide
    • The Stack Graph (Terminology)
  • 🌻Tutorials
    • Your First Project
      • 1. Initialize a Project
      • 2. Connect to a Cluster
      • 3. Deploy and Test
      • 4. Configure Your Project
  • 💐Using Garden
    • Configuration Overview
    • Projects
    • Modules
    • Services
    • Tests
    • Tasks
    • Workflows
    • Variables and templating
    • Module Templates
    • Using the CLI
  • 🌿Kubernetes Plugins
    • About
    • Remote K8s Plugin Configuration
      • 1. Create a Cluster
        • AWS
        • GCP
        • Azure
      • 2. Configure Container Registry (Optional)
        • AWS
        • GCP
        • Azure
      • 3. Set Up Ingress, TLS and DNS
      • 4. Configure the Provider
    • Local K8s Plugin Configuration
      • 1. Install Local Kubernetes
      • 2. Configure the Provider
    • Module Configuration
      • Container
      • Kubernetes
      • Helm
      • PersistentVolumeClaim
      • ConfigMap
    • Advanced
      • In-Cluster Building
      • Minimal RBAC Configuration for Development Clusters
      • Deploying to Production
  • 🌺Terraform Plugin
    • About
    • Provider Configuration
    • Module Configuration
  • ☘️Pulumi Plugin
    • About
    • Provider Configuration
    • Module Configuration
  • 🌹Other Plugins
    • Container
    • Exec (local scripts)
  • 🌼Guides
    • Installing Garden
    • Adopting Garden
    • Code Synchronization (Dev Mode)
    • Connecting a local service to a K8s cluster (Local Mode)
    • Environments and namespaces
    • Hot Reload
    • Migrating from Docker Compose to Garden
    • Using Garden in CI
  • 🌷Advanced
    • cert-manager Integration
    • Using Remote Sources
    • Custom Commands
  • 🪷Reference
    • Providers
      • conftest-container
      • conftest-kubernetes
      • conftest
      • container
      • exec
      • hadolint
      • jib
      • kubernetes
      • local-kubernetes
      • maven-container
      • octant
      • openfaas
      • pulumi
      • terraform
    • Module Types
      • configmap
      • conftest
      • container
      • exec
      • hadolint
      • helm
      • jib-container
      • kubernetes
      • maven-container
      • openfaas
      • persistentvolumeclaim
      • pulumi
      • templated
      • terraform
    • Template Strings
      • Project configuration context
      • Environment configuration context
      • Provider configuration context
      • Module configuration context
      • Remote Source configuration context
      • Project Output configuration context
      • Custom Command configuration context
      • Workflow configuration context
      • Template Helper Functions
    • Glossary
    • Commands
    • Project Configuration
    • Module Template Configuration
    • Workflow Configuration
  • 🎋Misc
    • FAQ
    • Troubleshooting
    • Telemetry
Powered by GitBook
On this page
  • Setting up an ECR registry
  • Enabling in-cluster building
  • Configuring Access

Was this helpful?

  1. Kubernetes Plugins
  2. Remote K8s Plugin Configuration
  3. 2. Configure Container Registry (Optional)

AWS

Previous2. Configure Container Registry (Optional)NextGCP

Last updated 1 year ago

Was this helpful?

Setting up an ECR registry

Follow to create a private ECR registry on AWS.

Then follow to create an image pull secret so that your cluster can pull images from your registry.

Make note of the ImagePullSecret name and namespace.

Enabling in-cluster building

For AWS ECR (Elastic Container Registry), you need to enable the ECR credential helper once for the repository by adding an imagePullSecret for you ECR repository.

First create a config.json somewhere with the following contents (<aws_account_id> and <region> are placeholders that you need to replace for your repo):

{
  "credHelpers": {
    "<aws_account_id>.dkr.ecr.<region>.amazonaws.com": "ecr-login"
  }
}

Next create the imagePullSecret in your cluster (feel free to replace the default namespace, just make sure it's correctly referenced in the config below):

kubectl --namespace default create secret generic ecr-config \
  --from-file=.dockerconfigjson=./config.json \
  --type=kubernetes.io/dockerconfigjson

Make note of the ImagePullSecret name and namespace.

Configuring Access

To grant your service account the right permission to push to ECR, add this policy to each of the repositories in the container registry that you want to use with in-cluster building:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account-id>:role/<k8s_worker_iam_role>"                ]
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ]
        }
    ]
}

To grant developers permission to push and pull directly from a repository, see .

🌿
this guide
this guide
the AWS documentation