Snowpark Container Services: Working with an image registry and repository

Snowpark Container Services provides an OCIv2-compliant image registry service and a storage unit call repository to store images.

Image registry

The image registry service serves the OCIv2 API for storing OCI-compliant container images.

Note

For the private preview, your account representative enables Snowflake Image Registry for your account. This is required before you can perform Snowpark Container Services operations.

Image registry hostname

Each image registry in a Snowflake account has a unique hostname, which allows OCI clients (such as Docker CLI) to access an image registry using REST API calls. The general syntax for an image registry hostname is:

<orgname>-<acctname>.registry.snowflakecomputing.com

In the hostname:

  • <orgname>-<acctname> identifies a Snowflake account.

  • registry allows Snowflake to provide hostnames per account for registry customers.

    The hostname is always all lowercase.

Note

A Snowflake account name (<acctname>) can have an underscore (for example, my_account), but underscores are not valid in a URL. Therefore, when using a registry hostname, you need to replace an underscore with a dash. For example, change my_account to my-account.

You can find your organization name and account name information for image repository host names in one of the following ways:

Image repository

A registry is a service that serves the OCIv2 API, and a repository is a storage unit that you create within the service.

A repository is a named location in your account where you store images. This is similar to the relationship between a DBMS and a table within the DBMS. That is, a DBMS is equivalent to a registry, and a table is equivalent to a repository.

You can create one or more repositories in your Snowflake account. For example, DEV, TEST, and PROD repositories can store images during development, testing, and production. You can also create repositories that have different permissions; for example, some repositories may be read-only for some roles.

Access control is supported at the repository level; individual image-level access control is not supported.

For uploading images to an image repository, the registry service supports authentication using a username and password and single sign-on (SSO).

Attention

Snowpark Container Services image repositories do not support Tri-Secret Secure and Periodic rekeying. This means that if your account has enabled Tri-Secret Secure or enabled Periodic rekeying, while all other Snowflake data will continue to have added security, any images stored in your Snowpark Container Services image repositories will not benefit from this added security.

To create an image repository in an account with Tri_Secret Secure or Periodic rekeying, you must first confirm that you understand and agree to continue without the benefit from this additional security for your image repositories. To confirm agreement, an account administrator (user with the ACCOUNTADMIN role) will need to set the account-level parameter ENABLE_TRI_SECRET_AND_REKEY_OPT_OUT_FOR_IMAGE_REPOSITORY to TRUE.

Image repository URL

The following is a general syntax for a Snowflake repository URL:

<registry-hostname>/<db_name>/<schema_name>/<repository_name>

For example,

myorg-myacct.registry.snowflake.com/my_db/my_schema/my_repository

To look up the repository URL in your account, use the SHOW IMAGE REPOSITORIES SQL command.

Note

  • Snowflake URL-encodes the $ character, which is the only non-URL character Snowflake supports in identifiers (See Identifier Requirements). Double-quoted names that contain special characters are not supported.

  • When you manually construct a repository URL, replace an underscore in an account name (my_acct) with a dash (my-acct).

Repository operations

To create and manage repositories, Snowflake supports the following repository operations:

  • CREATE IMAGE REPOSITORY

  • DROP IMAGE REPOSITORY

  • SHOW IMAGE REPOSITORIES

To list images stored within a Snowflake image repository, use the following function:

For an example of creating a repository and uploading an image, see Tutorial Common Setup.

Repository privileges

When you work with a repository, the following privilege model applies:

  • To create a repository in a schema, you must have the CREATE IMAGE REPOSITORY privilege on the schema.

  • For repository management, the following privileges (capabilities) are supported:

    Privilege

    Usage

    READ

    Enables listing and downloading images from a repository.

    WRITE

    Enables listing and downloading images from a repository. You can also push images in the repository.

    OWNERSHIP

    Enables listing and downloading images from a repository. You can also push images in the repository.