# Amazon Elastic Container Registry (ECR)

1. In Arnica, click Connect next to **Elastic Container Registry (ECR)**\
   ![](https://4035514934-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMxc1Ek3qoIZi5t2Sx7do%2Fuploads%2Fgit-blob-f920c3f776f86f3f94c4d0a529a87b3705bb4cef%2Fimage.png?alt=media)

## Recommended: IAM Role (CloudFormation)

We strongly recommend using an IAM Role instead of access keys. It is more secure (no long‑lived keys) and easier to manage.

* **If you have AWS access:**
  1. In the integration dialog, keep the **IAM Role** tab selected.
  2. Click **Deploy CloudFormation Template**.
  3. In the AWS Console, click **Create Stack** to deploy the template. Any region works because IAM roles are global; we recommend `us-east-1` for simplicity.
  4. After the stack finishes, open the **Outputs** tab.
  5. Copy the `RoleArn` value. You do not need to copy the `ExternalId` as long as you did not change it in Arnica.
  6. Back in Arnica, paste the `RoleArn` into the **Role ARN** field (if your `External ID` differs for any reason, enter it as shown in the dialog).
  7. (Optional) Enter an alias to help you recognize the integration.
  8. Click **Validate**, then **OK**.
* **If you do not have AWS access:**
  1. Copy the **Direct template link** and your **External ID** from the integration dialog:
     * Template URL: `https://arnica-integration-templates.s3.amazonaws.com/ecr-integration-role.yaml`
     * External ID: use the value shown in Arnica. Keep this External ID so you can complete the integration later.
  2. Ask your AWS administrator to deploy the template using that External ID (any region is fine; `us-east-1` recommended) and to send you the `RoleArn` from the stack's Outputs.
  3. When you receive the `RoleArn`, paste it into the **Role ARN** field in Arnica. If your admin used a different External ID, update the **External ID** field to match.
  4. (Optional) Enter an alias, click **Validate**, then **OK**.

## Alternative: Access Key (not recommended)

Only use this if you cannot use the IAM Role method above.

1. Create an IAM user with the following permissions:

   ```json
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "ecr:GetAuthorizationToken",
                   "ecr:BatchCheckLayerAvailability",
                   "ecr:GetDownloadUrlForLayer",
                   "ecr:GetRepositoryPolicy",
                   "ecr:DescribeRepositories",
                   "ecr:ListImages",
                   "ecr:DescribeImages",
                   "ecr:BatchGetImage",
                   "ecr:GetLifecyclePolicy",
                   "ecr:GetLifecyclePolicyPreview",
                   "ecr:ListTagsForResource",
                   "ecr:DescribeImageScanFindings",
                   "ec2:DescribeRegions"
               ],
               "Resource": "*"
           }
       ]
   }
   ```
2. In Arnica, switch to the **Access Key** tab, enter the **Access Key ID** and **Secret Access Key**, click **Validate**, then **OK**.