Skip to main content
Truss uses containerized environments to ensure consistent model execution across deployments. When deploying a custom base image or a custom server from a private registry, you’ll need to grant Baseten access to download that image.

​
AWS Elastic Cloud Registry (ECR)

AWS supports using either service accounts, or access tokens for short-lived container registry authentication.

​
AWS IAM Service accounts

To use an IAM service account for long-lived access, use the AWS_IAM authentication method in Truss.
  1. Get an AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the AWS dashboard.
  2. Add these as secrets in Baseten. Name them aws_access_key_id and aws_secret_access_key.
  3. Choose the AWS_IAM authentication method when setting up your Truss. The config.yaml file should look like this:
config.yaml
...
  base_image:
    image: <aws account id>.dkr.ecr.<region>.amazonaws.com/path/to/image
    docker_auth:
      auth_method: AWS_IAM
      registry: <aws account id>.dkr.ecr.<region>.amazonaws.com
  secrets:
    aws_access_key_id: null
    aws_secret_access_key: null
...
Specify the registry and image separately. To use different secret names, configure the aws_access_key_id_secret_name and aws_secret_access_key_secret_name options under docker_auth: 
...
base_image:
  ...
  docker_auth:
    auth_method: AWS_IAM
    registry: <aws account id>.dkr.ecr.<region>.amazonaws.com
    aws_access_key_id_secret_name: custom_aws_access_key_secret
    aws_secret_access_key_secret_name: custom_aws_secret_key_secret
secrets:
  custom_aws_access_key_secret: null
  custom_aws_secret_key_secret: null

​
Access Token

  1. Get the Base64-encoded secret:
PASSWORD=`aws ecr get-login-password --region <region>`
echo -n "AWS:$PASSWORD" | base64
  1. Add a new secret to Baseten named DOCKER_REGISTRY_<account-id>.dkr.ecr.<region>.amazonaws.com with the Base64-encoded secret as the value.
  2. Add the secret name to the secrets section of config.yaml to allow this model to access the secret when pushed.
config.yaml
secrets:
  DOCKER_REGISTRY_<account-id>.dkr.ecr.<region>.amazonaws.com: null

​
Google Cloud Artifact Registry

GCP supports access tokens for short-lived access or service accounts for long-lived authentication.
This method also works with Google Container Registry (gcr.io, <region>.gcr.io).

​
Service Account

  1. Get your service account key as a JSON key blob.
  2. Add a new secret to Baseten named gcp-service-account (or similar) with the JSON key blob as the value.
  3. Add the secret name to the secrets section of config.yaml to allow this model to access the secret when pushed.
config.yaml
secrets:
  gcp-service-account: null
  1. Configure the docker_auth section of your base_image to use service account authentication:
base_image:
  ...
  docker_auth:
    auth_method: GCP_SERVICE_ACCOUNT_JSON
    secret_name: gcp-service-account
    registry: <region>-docker.pkg.dev
secret_name must match the secret you created in step 2.

​
Access Token

  1. Get your access token.
  2. Add a new secret to Baseten named DOCKER_REGISTRY_<region>-docker.pkg.dev with the Base64-encoded secret as the value.
  3. Add the secret name to the secrets section of config.yaml to allow this model to access the secret when pushed.
config.yaml
secrets:
  DOCKER_REGISTRY_<region>-docker.pkg.dev: null

​
Docker Hub

  1. Get the Base64-encoded secret:
echo -n 'username:password' | base64
  1. Add a new secret to Baseten named DOCKER_REGISTRY_https://index.docker.io/v1/ with the Base64-encoded secret as the value.
Name: DOCKER_REGISTRY_https://index.docker.io/v1/
Token: <Base64-encoded secret>
  1. Add the secret name to the secrets section of config.yaml:
config.yaml
secrets:
  DOCKER_REGISTRY_https://index.docker.io/v1/: null

​
GitHub Container Registry (GHCR)

  1. Create a GitHub Personal Access Token with the read:packages scope. Use a classic token, not fine-grained.
  2. Get the Base64-encoded secret: 
echo -n 'github_username:ghp_your_personal_access_token' | base64
  1. Add a new secret to Baseten named DOCKER_REGISTRY_ghcr.io with the Base64-encoded secret as the value.
Name: DOCKER_REGISTRY_ghcr.io
Token: <Base64-encoded secret>
  1. Add the secret name to the secrets section of config.yaml:
config.yaml
base_image:
  image: ghcr.io/your-org/your-image:tag
secrets:
  DOCKER_REGISTRY_ghcr.io: null

​
NVIDIA NGC

  1. Generate an NGC API Key from your NVIDIA NGC account.
  2. Get the Base64-encoded secret: 
echo -n '$oauthtoken:your_ngc_api_key' | base64
The username $oauthtoken is a literal string, not a variable. Use it exactly as shown.
  1. Add a new secret to Baseten named DOCKER_REGISTRY_nvcr.io with the Base64-encoded secret as the value.
Name: DOCKER_REGISTRY_nvcr.io
Token: <Base64-encoded secret>
  1. Add the secret name to the secrets section of config.yaml:
config.yaml
base_image:
  image: nvcr.io/nvidia/pytorch:24.01-py3
secrets:
  DOCKER_REGISTRY_nvcr.io: null