Using Third Party Registries

Replicated can integrate with your third party private registry (ie Docker Trusted Registry,, ECR, GCR etc). To connect to these external registries you’ll need to connect your vendor account to these accounts on the app images page.

You’ll need to provide us with a reference name, endpoint, username, password and email address (we recommend creating a specific account for Replicated with read-only access to use).

Your credentials will never be shared or used by the customer to pull your images, instead your images will be proxied by us for each installation.


For delivering private images with KOTS please see the documentation for using private images with KOTS.

Native Scheduler

To access these images in your YAML you’ll need to use the reference name as the source & then the image name will need to provide the image name location, along with the version tag.

- name: App
  - source: mythirdpartyprivateregistry
    image_name: namespace/imagename
    version: 2.0.0

Swarm and Kubernetes

Swarm and Kubernetes require additional information

- source: mythirdpartyprivateregistry
  name: namespace/imagename
  tag: 2.0.0
# kind: scheduler-swarm
version: '3.3'



For delivering images in ship, see Ship a Private Image in the Getting Started with Ship guide.

From the above, it was clear that the alias defined in the field “Name (Ref)” under Application → Settings needed to be put into the release yaml under ‘components.containers.source’, but it wasn’t clear to me that ‘services.blah.image’ needed to be (if I’m using and not mythirdpartyprivateregistry/mycompany/blah:v1

To clarify the setup of ECR, since what needs to be provided for each field can be a little unclear:

  1. You choose the name
  2. The endpoint is of the form <account id>.dkr.ecr.<region>
  3. The username is the AWS access key ID
  4. The password is the AWS access token
    And the email does not matter.