Area: Deployment Issues
Sub-Area: Remote Executor Image Configuration
Issue
When attempting to pull the DataHub Cloud Remote Executor Docker image, users may encounter pull failures if they use an incorrect image tag format or registry path. The most common mistake is omitting the required -cloud suffix from the version tag (e.g., using v1.1.2 instead of v1.1.2-cloud). All DataHub Cloud Remote Executor images follow a strict versioning convention that requires this suffix, and any deviation will result in a failed image pull.
Error Messages
Error response from daemon: manifest unknown: Failed to fetchError: failed to pull image: not foundunauthorized: authentication required
You Might Be Asking
- Why can't I pull the Remote Executor image using the version tag shown in the DataHub UI or release notes?
- What is the correct image tag format for the DataHub Cloud Remote Executor?
- Why does my
docker pullor Kubernetes pod fail to pull the executor image? - What registry hosts the DataHub Cloud Remote Executor image?
Solution
-
Use the correct tag format with the
-cloudsuffix. All DataHub Cloud Remote Executor image tags must include the-cloudsuffix appended to the semantic version. The pattern is:vX.Y.Z-cloudFor example, for version
1.1.2, the correct tag is:v1.1.2-cloudIncorrect (missing
-cloudsuffix — will fail):datahub-executor:v1.1.2Correct:
datahub-executor:v1.1.2-cloud -
Use the correct registry. The DataHub Cloud Remote Executor image is hosted exclusively on a private AWS Elastic Container Registry (ECR). It is not available on Google Artifact Registry or Docker Hub. The full image reference format is:
795586375822.dkr.ecr.us-west-2.amazonaws.com/datahub-executor:v<X.Y.Z>-cloudReplace
<X.Y.Z>with the specific version you are targeting (e.g.,1.1.2):795586375822.dkr.ecr.us-west-2.amazonaws.com/datahub-executor:v1.1.2-cloud -
Ensure your environment has ECR access. Because the image is hosted on a private ECR repository, your AWS account, Kubernetes service account, or node instance profile must be allowlisted for pull access. If you are not already allowlisted, contact DataHub Support to request ECR access for your deployment environment.
-
Verify the version in your Helm chart or deployment configuration. If you are deploying via the DataHub Executor Helm chart, confirm that the
image.tagvalue in yourvalues.yamlincludes the-cloudsuffix:image: repository: 795586375822.dkr.ecr.us-west-2.amazonaws.com/datahub-executor tag: v<X.Y.Z>-cloud -
Confirm the target version with DataHub Support if unsure. To identify the correct executor image version for your specific DataHub Cloud environment, contact DataHub Support or refer to your environment's application configuration. Different environments (e.g., production, staging, development) may run different executor versions.
Additional Notes
The -cloud suffix has been a consistent requirement across all DataHub Cloud Remote Executor releases and is not version-specific. There is no version of the Remote Executor at which the tag format did not require this suffix. The Google Artifact Registry path (us-docker.pkg.dev/acryl-prod/datahub/datahub-executor) is not a valid or operational registry for Remote Executor images and will always result in a pull failure. Always use the AWS ECR path documented above. If your Kubernetes nodes are not running in AWS (e.g., GKE or AKS), you will still need to configure ECR credentials and ensure the appropriate IAM or cross-cloud authentication is in place.
Related Documentation
Tags: remote-executor, docker, image-pull, ecr, cloud-suffix, deployment, helm, kubernetes, ingestion, container-registry