ECR image support is currently in beta. Join our Discord to provide feedback and get support.
This tutorial covers ECR integration for Pods. If you’re deploying Serverless workers from ECR, see Deploying from AWS ECR — Serverless endpoints use a different credential mechanism.
What you’ll learn
- How to build and push a Docker image to a private ECR repository.
- How to configure an AWS ECR repository policy for cross-account access.
- How to add an ECR credential in the Runpod console.
- How to deploy a using your private ECR image.
Requirements
- A Runpod account with credits.
- An AWS account with ECR enabled.
- An AWS IAM user or role with
ecr:SetRepositoryPolicypermission on the repository. - Your AWS Account ID — a 12-digit number found in the top-right dropdown of the AWS Console.
- Docker installed on your local machine.
- AWS CLI installed (required to push images; optional if your image is already in ECR).
Step 1: Push your image to ECR
Skip this step if your image is already in ECR.Configure AWS CLI credentials
Run the following command and enter your access key, secret key, and session token when prompted:Create a private ECR repository
- Open the Amazon ECR console.
- Under Private registry, select Repositories and click Create repository.
- Enter a name and click Create repository.
- Note the URI shown for your new repository — you’ll use it in the following steps.
Build, tag, and push your image
Authenticate Docker with ECR, then build and push your image:YOUR_ACCOUNT_ID, YOUR_REGION, and YOUR_REPOSITORY_NAME with your values.
Step 2: Configure your ECR repository policy
To pull images from your private ECR repository, Runpod needs cross-account access. You grant this by adding an IAM policy to your repository.- Open the Amazon ECR console.
- Select the repository containing your container image.
- In the left navigation, select Permissions.
- Click Edit policy JSON and add the following policy statement:
- Click Save.
The
aws:PrincipalArn value (arn:aws:iam::550005742258:role/prod-us-east-1-deployment-role) is Runpod’s fixed AWS deployment role — not something you create or manage. 550005742258 is Runpod’s AWS account ID, and this ARN is the same for all Runpod users. Do not modify it. Its permissions are intentionally limited to pulling images only, so Runpod cannot access any other part of your AWS account.ecr:GetAuthorizationToken is an account-level AWS action, not repository-scoped. If your organization uses Service Control Policies (SCPs), confirm this action is not blocked at the org level.Alternative: Configure via AWS CLI
YOUR_REPOSITORY_NAME with the name of your ECR repository.
Step 3: Add your ECR credential to Runpod
- Navigate to Settings in the Runpod console.
- Scroll down to Container Registry Authentication and click Add Credential.
- Select AWS ECR as the registry type.
- Enter a Name for this credential (for example,
my-ecr-repo). - Enter the ECR Image URI in the format
ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/REPOSITORY_NAME:TAG. You must include the tag (for example,:latestor:v1.0.0). Runpod requires the tag to store the delegation. - Click Create.
Step 4: Deploy a with your private image
You can deploy using a template or directly from the deploy page.Option A: Deploy directly
- Navigate to Pods and select Deploy.
- Choose your GPU configuration.
- Under Container Image, enter your full ECR image URI (for example,
123456789012.dkr.ecr.us-east-2.amazonaws.com/my-app:latest). - Configure any additional settings such as environment variables or exposed ports.
- Click Deploy.
Option B: Deploy via a template
- Navigate to Templates.
- Create a new template or update an existing one.
- Set the Container Image to your ECR image URI.
- Save the template, then deploy a from it.
You’ve configured cross-account ECR delegation and deployed a using a private container image.
Troubleshooting
Credential creation fails:- Confirm the repository policy JSON is saved: ECR console → your repository → Permissions tab.
- Check that the
aws:PrincipalArnvalue matches exactly — no trailing spaces or modified characters. - Verify your IAM user has
ecr:SetRepositoryPolicypermission.
- Confirm the ECR image URI in the or template matches the one registered in Step 3.
- Check that the image tag exists in your ECR repository.
- Verify the repository policy is applied to the correct repository.
Next steps
- Learn how to create custom templates from your container images.
- Explore environment variables for configuring your containers.
- Set up network volumes for persistent storage.