Managed Images

Managed Images is a feature of the RI Platform that allows you to easily containerize a model’s dependencies — programmatically (e.g., via the Python SDK) specify your model’s dependencies and easily swap between Docker images as you run different models!

Currently Managed Images operates via AWS ECR.

NOTE: as of version 0.13.0, the Managed Images feature is enabled by default in our Terraform module.

Configuration for this feature is handled via the image_registry_config of the rime Terraform module:

module "rime" {
  ...
  image_registry_config = {
    enable                       = true
    allow_external_custom_images = true
    repository_prefix            = ""
  }
  ...
}

repository_prefix

The repository_prefix is a string that labels your managed image repositories within ECR.

The RI Platform will operate only on repositories beginning with this repository_prefix.

Permissions for the Managed Image Registry

Permissions for Managed Images can be applied automatically by an admin when applying our Terraform module.

ecr:CreateRepository
ecr:DeleteRepository
ecr:DescribeImages
ecr:PutLifecyclePolicy
ecr:ListImages

These permissions allow the registry server to create and modify repositories with the given repository_prefix. Additionally, it requires ecr:GetAuthorizationToken for all resources in order to authorize itself.

Jobs executed by the registry server use the following permissions to build new images:

ecr:BatchGetImage
ecr:BatchCheckLayerAvailability
ecr:CompleteLayerUpload
ecr:GetDownloadUrlForLayer
ecr:InitiateLayerUpload
ecr:PutImage
ecr:UploadLayerPart

These permissions allow these jobs to pull and push new images to the repositories created with prefix repository_prefix. These jobs also require ecr:GetAuthorizationToken for all resources in order to authorize themeselves.