Overview
Container image storage and distribution with cross-account access.
An Artifact Registry is a collection of container image repositories with shared identity and access control. You provision one per stack, then create repositories within it at runtime.
ArtifactRegistry("images") ← provisioned once (IAM roles, cloud registry, etc.)
├── createRepository("app-a") ← runtime: create repos within it
├── createRepository("app-b")
└── createRepository("app-c")Each platform maps this to its native container registry service:
Platform Mapping
| Platform | Backing Service | Provisioned by |
|---|---|---|
| AWS | Amazon ECR | Alien |
| GCP | Google Artifact Registry | Alien |
| Azure | Azure Container Registry | Alien |
| Kubernetes / On-Prem | External container image registry | Cluster operator |
| Local | In-process container image registry | Alien |
When to Use
Use Artifact Registry when your application needs to manage container images programmatically — building, pushing, pulling, and distributing images across cloud accounts.
Quick Start
// alien.ts
const registry = new alien.ArtifactRegistry("images")
.replicationRegions(["us-west-2", "eu-west-1"]) // AWS only
.build()import { artifactRegistry } from "@alienplatform/sdk"
const registry = await artifactRegistry("images")
const repo = await registry.createRepository("my-app")
console.log(repo.uri) // "123456789012.dkr.ecr.us-east-1.amazonaws.com/images-my-app"
const creds = await registry.generateCredentials(repo.name, "push-pull")
// Use with: docker login -u ${creds.username} -p ${creds.password} ${repo.uri}
// Optional: pass TTL in seconds — registry.generateCredentials(repo.name, "push-pull", 3600)let registry = ctx.bindings().load_artifact_registry("images").await?;
let repo = registry.create_repository("my-app").await?;
let creds = registry.generate_credentials("my-app", ArtifactRegistryPermissions::PushPull, Some(3600)).await?;Cross-Account Access
Grant other cloud accounts permission to pull images:
// AWS
await registry.addCrossAccountAccess("my-app", {
type: "aws",
accountIds: ["987654321098"],
regions: ["us-east-1"],
roleArns: ["arn:aws:iam::987654321098:role/lambda-execution"],
allowedServiceTypes: ["worker"],
})
// GCP
await registry.addCrossAccountAccess("my-app", {
type: "gcp",
projectNumbers: ["123456789"],
serviceAccountEmails: ["sa@project.iam.gserviceaccount.com"],
allowedServiceTypes: ["worker"],
})Cross-account access is not supported on Azure through Alien.