Using Private ECR Repositories for Workspace Images
⚠️ Note: When using a private image in combination with
gp validate, you’ll need to authenticate against the private registry in your workspace. This is becausegp validateemulates a workspace start using the Docker daemon running in your workspace. To prevent unintended security repercussions, the credentials used during workspace start are not automatically made available in the workspace.
Authenticating Gitpod Dedicated with a Private ECR Repository
Navigate to the AWS account where the target ECR repository is located.
Modify the target ECR repositories resource policy (repositories > permissions) with the following entry:
json
language: { "Version": "2012-10-17", "Statement": [ { "Sid": "Gitpod Access", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<your-gitpod-dedicated-aws-account-id>:root" ] } } ] }
How to use an Image from a Private ECR Repository in a .gitpod.yml File
Ensure you’ve followed the authentication steps from the section above.
In your
.gitpod.ymlfile, directly reference the private ECR image:yml
language: image: <aws-ecr-url-prefix>.amazonaws.com/<your-image-name:tag>
How to use an Image from a Private ECR Repository in Combination with Custom Dockerfiles
Ensure you’ve followed the authentication steps from the section above.
In your project repository, create a Dockerfile that references your private ECR image:
dockerfile
language: FROM <aws-ecr-url-prefix>.amazonaws.com/<your-image-name:tag> # Add your customizations hereIn your
.gitpod.ymlfile, reference the Dockerfile:yml
language: image: file: Dockerfile
Ensure that your image and Dockerfile adhere to the same requirements described here.