Features

Import Base Images from Private AWS ECR Registries

To pull from an ECR registry, add your registry name to the base_image field.

Configure your Beam app

from beam import App, Image, Runtime


app = App(
    name="ecr-example",
    runtime=Runtime(
        image=Image(
            # Import base image from private ECR registry
            base_image="683656326992.dkr.ecr.us-east-1.amazonaws.com/beam-test",
            base_image_creds=Image.get_credentials_from_env(
                ["AWS_ACCESS_KEY", "AWS_SECRET_KEY", "AWS_REGION"]
            ),
        )
    ),
)

Add an AWS IAM role

You must create an IAM user with the following policy attached. This allows Beam to generate an authentication token to download the image from your private registry.

Your AWS IAM credentials will be used to pull your image, but they are not stored in our system.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "arn:aws:ecr:us-east-1:683656326989:repository/dev-test"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
}

Source credentials

Beam will read your credentials from a local .env file, using the Image.get_credentials_from_env() method in the Beam SDK.

Your .env file should look like this:

#!/bin/bash

export AWS_REGION=YOUR_REGION
export AWS_SECRET_KEY=YOUR_KEY
export AWS_ACCESS_KEY=YOUR_KEY

Make sure to source the .env file before running beam deploy [app].py

Was this page helpful?

Upgrading BeamJanuary 3, 2024