Push to our ECR, point AgentDepot at it, we handle IAM + Secrets + Composio.
When to use BYO Docker
If your agent has unusual system deps (CUDA, native libs, browser binaries, custom Linux distros), the auto-build pipeline can't help — write your own Dockerfile and push the image yourself. We still own the IAM role, Secrets Manager mount, Composio OAuth, OTEL wrapper config, and AgentCore deploy.
Push to our ECR
Your portal Department tab generates per-account ECR push credentials (short-lived). Tag and push as normal:
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin \
471176250120.dkr.ecr.us-east-1.amazonaws.com
docker buildx build --platform linux/arm64 \
-t 471176250120.dkr.ecr.us-east-1.amazonaws.com/agentdepot-byo/{accountId}:v1 .
docker push 471176250120.dkr.ecr.us-east-1.amazonaws.com/agentdepot-byo/{accountId}:v1Required image contract
Your image must (1) accept invocations on port 8080, (2) emit a /healthz endpoint returning 200 when ready, (3) read AgentCore-injected env vars with no special prefix. We provide a thin wrapper image (public.ecr.aws/agentdepot/runtime-base:latest) that handles steps 1–2 if you don't want to roll your own.
Deploy
From the portal: 'Add custom Docker runtime' → paste image URI → connect secrets → deploy. We call AgentCore CreateAgentRuntime with your image; everything else (IAM, Composio, OTEL, observability) is identical to auto-built imports.