PodArmor docs
Getting started

Pull your first image

From zero to a running PodArmor image in two commands.

Public images

Hardened versions of common upstreams live on our public ECR:

docker pull public.ecr.aws/e8w9b9r7/podarmor/nginx:1.29.1-r2
docker run --rm -p 8080:8080 public.ecr.aws/e8w9b9r7/podarmor/nginx:1.29.1-r2

No authentication needed — the registry is anonymous-read.

Private (per-customer) images

If you have a private image catalog (e.g. customer-specific Maven build images), they live in your AWS account's ECR. Pulling requires AWS credentials that can read the repository:

# Authenticate
aws ecr get-login-password --region <your-region> --profile <your-profile> | \
  docker login --username AWS --password-stdin \
  <account-id>.dkr.ecr.<your-region>.amazonaws.com

# Pull
docker pull <account-id>.dkr.ecr.<your-region>.amazonaws.com/podarmor/<image>:<tag>

The portal's image detail page shows the exact pull command pre-formatted for one-click copy.

Cross-account access

If your AWS account is different from the one PodArmor publishes into, we'll configure a cross-account repository policy on the relevant repos that grants BatchGetImage + GetDownloadUrlForLayer + BatchCheckLayerAvailability to your account's principals.

Once that's in place, your normal AWS profile works without a credential swap. See the Webhooks & integrations section for the policy JSON we apply.

On this page