A guide to configuring a private container registry for your truss
Truss uses containerized environments to ensure consistent model execution across deployments. When deploying a custom base image or a custom server from a private registry, you must grant Baseten access to download that image.
AWS supports using either service accounts, or access tokens for short lived access for container registry authentication.
To use an IAM service account for long-lived access, you can use the AWS_IAM
authentication method in Truss.
Get an AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the AWS dashboard
Add these as secrets in Baseten. These should be named aws_access_key_id
and aws_secret_access_key
respectively.
Choose the AWS_IAM
authentication method when setting up your Truss. The config.yaml
file should look something like this:
Note here that you need to specify the registry and image separately.
If you’d like to use different secret names besides the default, you can configure these using the
aws_access_key_id_secret_name
and aws_secret_access_key_secret_name
options
under docker_auth
:
Add a new secret to Baseten named DOCKER_REGISTRY_{aws account id}.dkr.ecr.{us-east-1}.amazonaws.com
with the Base64-encoded secret
as the value.
Add the secret name to the secrets
section of the config.yaml
to allow this model to access the secret when it is pushed.
GCP supports using either access tokens for short lived access or service accounts for container registry authentication.
Get your service account key as a JSON key blob.
Add a new secret to Baseten named gcp-service-account
(or similar) with the JSON key blob as the value.
Add the secret name that you used to the secrets
section of the config.yaml
to allow this model to access the secret when it is pushed.
docker_auth
section of your base_image:
to ensure that the service account authentication method will be used.Note that here, secret_name
should match the name of the secret that is contains the JSON key blob.
Get your access token
Add a new secret to Baseten named DOCKER_REGISTRY_{us-west2}-docker.pkg.dev
with the Base64-encoded secret
as the value.
Add the secret name to the secrets
section of the config.yaml
to allow this model to access the secret when it is pushed.
Add a new secret to Baseten named DOCKER_REGISTRY_https://index.docker.io/v1/
with the Base64-encoded secret
as the value.
Add the secret name to the secrets
section of the config.yaml
to allow this model to access the secret when it is pushed.
Then, this to config.yaml
: