Main docsHome pageSign inContact us

Configure AWS ECR Container Registry for UDF Images

TileDB Cloud Enterprise uses by default Dockerhub as the container registry for UDF Images, but ECR can also be used. This page outlines how to setup and configure ECR as UDF images repository.

Allow REST Server Kubernetes Service Account to Access ECR

Provided that TileDB Enterprise Helm Chart is installed in namespace tiledb-cloud, the default service account of this namespace is used by REST Server. It has to be annotated as follows:

// default sa in tiledb-cloud namespace
Name:                default                                                                                                                                                                                                   
Namespace:           tiledb-cloud                                                                                                                                                                                                                                                                                                                                                                                     
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::AWS_ACCOUNT_ID:role/tiledb-cloud-assume-role

This annotation refers to an AWS Role, that has to include a policy statement to allow ECR access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRReadOnly",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        },
     ...
    ]
}

Configuring ECR

After you have verified ECR access, it is needed to configure values.yaml to enable using it.

tiledb-cloud-rest:
  restConfig:
    # REQUIRED: Set the private docker registry credentials
    ContainerRegistry:
      Host: "AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION.amazonaws.com"
      EnableDockerhubAuth: false
      EnableEcrAuth: true
PreviousCustom User Defined Images

Last updated