Private Docker Registries
A guide to configuring a private container registry for your truss
Truss uses containerized environments to ensure consistent model execution across deployments. When deploying a custom base image or a custom server from a private registry, you must grant Baseten access to download that image.
AWS Elastic Cloud Registry (ECR)
AWS supports using either service accounts, or access tokens for short lived access for container registry authentication.
AWS IAM Service accounts
To use an IAM service account for long-lived access, you can use the AWS_IAM
authentication method in Truss.
-
Get an AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the AWS dashboard
-
Add these as secrets in Baseten. These should be named
aws_access_key_id
andaws_secret_access_key
respectively. -
Choose the
AWS_IAM
authentication method when setting up your Truss. Theconfig.yaml
file should look something like this:
Note here that you need to specify the registry and image separately.
If you’d like to use different secret names besides the default, you can configure these using the
aws_access_key_id_secret_name
and aws_secret_access_key_secret_name
options
under docker_auth
:
Access Token
- Get the a Base64-encoded secret:
-
Add a new secret to Baseten named
DOCKER_REGISTRY_{aws account id}.dkr.ecr.{us-east-1}.amazonaws.com
with theBase64-encoded secret
as the value. -
Add the secret name to the
secrets
section of theconfig.yaml
to allow this model to access the secret when it is pushed.
Google Cloud Artifact Registry
GCP supports using either access tokens for short lived access or service accounts for container registry authentication.
Service Account
-
Get your service account key as a JSON key blob.
-
Add a new secret to Baseten named
gcp-service-account
(or similar) with the JSON key blob as the value. -
Add the secret name that you used to the
secrets
section of theconfig.yaml
to allow this model to access the secret when it is pushed.
- Configure the
docker_auth
section of yourbase_image:
to ensure that the service account authentication method will be used.
Note that here, secret_name
should match the name of the secret that is contains the JSON key blob.
Access Token
-
Get your access token
-
Add a new secret to Baseten named
DOCKER_REGISTRY_{us-west2}-docker.pkg.dev
with theBase64-encoded secret
as the value. -
Add the secret name to the
secrets
section of theconfig.yaml
to allow this model to access the secret when it is pushed.
Docker Hub
- Get the a Base64-encoded secret:
-
Add a new secret to Baseten named
DOCKER_REGISTRY_https://index.docker.io/v1/
with theBase64-encoded secret
as the value. -
Add the secret name to the
secrets
section of theconfig.yaml
to allow this model to access the secret when it is pushed.
Then, this to config.yaml
: