# Amazon Elastic Container Registry (ECR)

1. In Arnica, click Connect next to **Elastic Container Registry (ECR)**\
   ![](/files/i5KYg6u0HceOEBgRBspw)

## Recommended: IAM Role (CloudFormation)

We strongly recommend using an IAM Role instead of access keys. It is more secure (no long‑lived keys) and easier to manage.

* **If you have AWS access:**
  1. In the integration dialog, keep the **IAM Role** tab selected.
  2. Click **Deploy CloudFormation Template**.
  3. In the AWS Console, click **Create Stack** to deploy the template. Any region works because IAM roles are global; we recommend `us-east-1` for simplicity.
  4. After the stack finishes, open the **Outputs** tab.
  5. Copy the `RoleArn` value. You do not need to copy the `ExternalId` as long as you did not change it in Arnica.
  6. Back in Arnica, paste the `RoleArn` into the **Role ARN** field (if your `External ID` differs for any reason, enter it as shown in the dialog).
  7. (Optional) Enter an alias to help you recognize the integration.
  8. Click **Validate**, then **OK**.
* **If you do not have AWS access:**
  1. Copy the **Direct template link** and your **External ID** from the integration dialog:
     * Template URL: `https://arnica-integration-templates.s3.amazonaws.com/ecr-integration-role.yaml`
     * External ID: use the value shown in Arnica. Keep this External ID so you can complete the integration later.
  2. Ask your AWS administrator to deploy the template using that External ID (any region is fine; `us-east-1` recommended) and to send you the `RoleArn` from the stack's Outputs.
  3. When you receive the `RoleArn`, paste it into the **Role ARN** field in Arnica. If your admin used a different External ID, update the **External ID** field to match.
  4. (Optional) Enter an alias, click **Validate**, then **OK**.

## Alternative: Access Key (not recommended)

Only use this if you cannot use the IAM Role method above.

1. Create an IAM user with the following permissions:

   ```json
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "ecr:GetAuthorizationToken",
                   "ecr:BatchCheckLayerAvailability",
                   "ecr:GetDownloadUrlForLayer",
                   "ecr:GetRepositoryPolicy",
                   "ecr:DescribeRepositories",
                   "ecr:ListImages",
                   "ecr:DescribeImages",
                   "ecr:BatchGetImage",
                   "ecr:GetLifecyclePolicy",
                   "ecr:GetLifecyclePolicyPreview",
                   "ecr:ListTagsForResource",
                   "ecr:DescribeImageScanFindings",
                   "ec2:DescribeRegions"
               ],
               "Resource": "*"
           }
       ]
   }
   ```
2. In Arnica, switch to the **Access Key** tab, enter the **Access Key ID** and **Secret Access Key**, click **Validate**, then **OK**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.arnica.io/arnica-documentation/getting-started/container-integrations/ecr.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.