AWS Elastic Cloud Registry (ECR)
AWS supports using either service accounts, or access tokens for short lived access for container registry authentication.AWS IAM Service accounts
To use an IAM service account for long-lived access, you can use theAWS_IAM
authentication method in Truss.
- Get an AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the AWS dashboard
-
Add these as secrets in Baseten. These should be named
aws_access_key_id
andaws_secret_access_key
respectively. -
Choose the
AWS_IAM
authentication method when setting up your Truss. Theconfig.yaml
file should look something like this:
aws_access_key_id_secret_name
and aws_secret_access_key_secret_name
options
under docker_auth
:
Access Token
- Get the a Base64-encoded secret:
-
Add a new secret to Baseten named
DOCKER_REGISTRY_{aws account id}.dkr.ecr.{us-east-1}.amazonaws.com
with theBase64-encoded secret
as the value. -
Add the secret name to the
secrets
section of theconfig.yaml
to allow this model to access the secret when it is pushed.
config.yaml
Google Cloud Artifact Registry
GCP supports using either access tokens for short lived access or service accounts for container registry authentication.Service Account
- Get your service account key as a JSON key blob.
-
Add a new secret to Baseten named
gcp-service-account
(or similar) with the JSON key blob as the value. -
Add the secret name that you used to the
secrets
section of theconfig.yaml
to allow this model to access the secret when it is pushed.
config.yaml
- Configure the
docker_auth
section of yourbase_image:
to ensure that the service account authentication method will be used.
secret_name
should match the name of the secret that is contains the JSON key blob.
Access Token
- Get your access token
-
Add a new secret to Baseten named
DOCKER_REGISTRY_{us-west2}-docker.pkg.dev
with theBase64-encoded secret
as the value. -
Add the secret name to the
secrets
section of theconfig.yaml
to allow this model to access the secret when it is pushed.
config.yaml
Docker Hub
- Get the a Base64-encoded secret:
-
Add a new secret to Baseten named
DOCKER_REGISTRY_https://index.docker.io/v1/
with theBase64-encoded secret
as the value. -
Add the secret name to the
secrets
section of theconfig.yaml
to allow this model to access the secret when it is pushed.
config.yaml
:
config.yaml