AWS ECR Container Registry

Learn how to set up AWS ECR as a UDF image repository as an alternative to Dockerhub.

TileDB Cloud Self-hosted uses Dockerhub as the container registry for UDF images by default, but you can also use ECR. This page outlines how to set up and configure ECR as a UDF image repository.

Allow REST server Kubernetes service account to access ECR

Provided that you install the TileDB Cloud Self-hosted Helm chart in the tiledb-cloud namespace, the REST server uses the default service account of this namespace. You must annotate it as follows:

// default sa in tiledb-cloud namespace
Name: default
Namespace: tiledb-cloud
Annotations:
  eks.amazonaws.com/role-arn: "arn:aws:iam::AWS_ACCOUNT_ID:role/tiledb-cloud-assume-role"

This annotation refers to an AWS Role, which has to include a policy statement to allow ECR access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRReadOnly",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        },
     ...
    ]
}

Configure ECR

After you have verified ECR access, you need to configure values.yaml to enable using it.

tiledb-cloud-rest:
  restConfig:
    # REQUIRED: Set the private docker registry credentials
    ContainerRegistry:
      Host: "AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION.amazonaws.com"
      EnableDockerhubAuth: false
      EnableEcrAuth: true