AWS ECR credentials
Container registry credentials
From version 22.3, Tower supports the configuration of credentials for the Nextflow Wave container service to authenticate to private and public container registries. For more information on Wave containers, see here.
Container registry credentials are only leveraged by the Wave containers service. In order for your pipeline execution to leverage Wave containers, add wave { enabled=true } either to the Nextflow config field on the launch page, or to your nextflow.config file.
AWS ECR access
Wave requires programmatic access to your private registry via long-term access keys. Create a user with registry read permissions (e.g. a subset of the AWS-managed AmazonEC2ContainerRegistryReadOnly policy) for this purpose.
An IAM administrator can create and manage access keys from the AWS management console:
- Open the IAM console.
- Select Users from the navigation pane.
- Select the name of the user whose keys you want to manage, then select the Security credentials tab. We recommend creating an IAM user specifically for Wave authentication instead of using existing credentials with broader permissions.
- In the Access keys section, select Create access key. Each IAM user can have only two access keys at a time, so if the Create option is deactivated, delete an existing access key first.
- On the Access key best practices & alternatives page, select Other and then Next.
- On the Retrieve access key page, you can either Show the user's secret access key details, or store them by selecting Download .csv file.
- The newly created access key pair is active by default and can be stored as a container registry credential in Tower.
Your credential must be stored in Tower as a container registry credential, even if the same access keys already exist in Tower as a workspace credential.
Add credentials to Tower
-
From an organization workspace: navigate to the Credentials tab and select Add Credentials.
-
From your personal workspace: select Your credentials from the user top-right menu, then select Add credentials.
| Property | Description | Example |
|---|---|---|
| Name | A unique name for the credentials using alphanumeric characters, dashes, or underscores | my-registry-creds |
| Provider | Credential type | Container registry |
| User name | IAM user access key ID | AKIAIOSFODNN7EXAMPLE |
| Password | IAM user secret access key | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
| Registry server | The container registry server name | https://<aws_account_id>.dkr.ecr.<region>.amazonaws.com |
Once the form is complete, select Add. The new credential is now listed under the Credentials tab.