Amazon Elastic Container Registry (ECR)

Amazon Elastic Container Registry (ECR) integration setup for Arnica

  1. In Arnica, click Connect next to Elastic Container Registry (ECR)

Recommended: IAM Role (CloudFormation)

We strongly recommend using an IAM Role instead of access keys. It is more secure (no long‑lived keys) and easier to manage.

  • If you have AWS access:

    1. In the integration dialog, keep the IAM Role tab selected.

    2. Click Deploy CloudFormation Template.

    3. In the AWS Console, click Create Stack to deploy the template. Any region works because IAM roles are global; we recommend us-east-1 for simplicity.

    4. After the stack finishes, open the Outputs tab.

    5. Copy the RoleArn value. You do not need to copy the ExternalId as long as you did not change it in Arnica.

    6. Back in Arnica, paste the RoleArn into the Role ARN field (if your External ID differs for any reason, enter it as shown in the dialog).

    7. (Optional) Enter an alias to help you recognize the integration.

    8. Click Validate, then OK.

  • If you do not have AWS access:

    1. Copy the Direct template link and your External ID from the integration dialog:

      • Template URL: https://arnica-integration-templates.s3.amazonaws.com/ecr-integration-role.yaml

      • External ID: use the value shown in Arnica. Keep this External ID so you can complete the integration later.

    2. Ask your AWS administrator to deploy the template using that External ID (any region is fine; us-east-1 recommended) and to send you the RoleArn from the stack's Outputs.

    3. When you receive the RoleArn, paste it into the Role ARN field in Arnica. If your admin used a different External ID, update the External ID field to match.

    4. (Optional) Enter an alias, click Validate, then OK.

Alternative: Access Key (not recommended)

Only use this if you cannot use the IAM Role method above.

  1. Create an IAM user with the following permissions:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        }
    ]
}

  2. In Arnica, switch to the Access Key tab, enter the Access Key ID and Secret Access Key, click Validate, then OK.

PreviousContainer IntegrationsNextGitHub Container Registry (GHCR)

Last updated

Was this helpful?