Skip to main content

Private Container Registries

Shipyard supports pulling images from private registries including AWS/ECR, Docker Hub, GCP/GCR, Quay, GitHub Packages, and JFrog Artifactory.

You can add credentials by navigating to your Org Settings page.

Add an external container registry from the Shipyard Org Settings page


When adding registry credentials, select the ECR option.

  • Host: [your ECR host]
  • Access Key: [your AWS access key]
  • Secret Key: [your AWS secret key]
  • Region: [the ECR region, like us-east-1]

The AWS user needs read access to ECR via IAM.

Here's a read-only policy straight from the AWS docs which would grant AWS ECR access to a Shipyard user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"
            ],
            "Resource": "*"
        }
    ]
}