Skip to main content
Version: 23.2.0

AWS ECR credentials

Container registry credentials

From version 22.3, Tower supports the configuration of credentials for the Nextflow Wave container service to authenticate to private and public container registries. For more information on Wave containers, see here.

Container registry credentials are only leveraged by the Wave containers service. In order for your pipeline execution to leverage Wave containers, add wave { enabled=true } either to the Nextflow config field on the launch page, or to your nextflow.config file.

AWS ECR access

Wave requires programmatic access to your private registry via long-term access keys. Create a user with registry read permissions (e.g. a subset of the AWS-managed AmazonEC2ContainerRegistryReadOnly policy) for this purpose.

An IAM administrator can create and manage access keys from the AWS management console:

  1. Open the IAM console.
  2. Select Users from the navigation pane.
  3. Select the name of the user whose keys you want to manage, then select the Security credentials tab. We recommend creating an IAM user specifically for Wave authentication instead of using existing credentials with broader permissions.
  4. In the Access keys section, select Create access key. Each IAM user can have only two access keys at a time, so if the Create option is deactivated, delete an existing access key first.
  5. On the Access key best practices & alternatives page, select Other and then Next.
  6. On the Retrieve access key page, you can either Show the user's secret access key details, or store them by selecting Download .csv file.
  7. The newly created access key pair is active by default and can be stored as a container registry credential in Tower.

Your credential must be stored in Tower as a container registry credential, even if the same access keys already exist in Tower as a workspace credential.

Add credentials to Tower

  • From an organization workspace: navigate to the Credentials tab and select Add Credentials.

  • From your personal workspace: select Your credentials from the user top-right menu, then select Add credentials.

NameA unique name for the credentials using alphanumeric characters, dashes, or underscoresmy-registry-creds
ProviderCredential typeContainer registry
User nameIAM user access key IDAKIAIOSFODNN7EXAMPLE
PasswordIAM user secret access keywJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Registry serverThe container registry server namehttps://<aws_account_id>.dkr.ecr.<region>

Once the form is complete, select Add. The new credential is now listed under the Credentials tab.