Cross-Account ECR: The Ultimate Solution for Effortless Docker Image Sharing
Similar to AWS documentation, this article outlines how to grant access from one AWS account to an Elastic Container Repository (ECR) in another AWS account. We'll break this down into three main sections:
1. Allowing Access to ECR for Other AWS Accounts
To enable read-only access for a specific AWS account (Account ID 2222222222), you must create a repository policy in JSON format. This policy specifies the actions that are allowed for the specified account. Here's an example policy:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Allow2222222222Access",
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Principal": {
"AWS": "arn:aws:iam::2222222222:root"
}
}]
}
This policy permits read-only access for any IAM entity in Account 2222222222. You can further refine this by specifying particular IAM entities in the "Principal" field.
2. Granting IAM Entity Permissions in the Client Account
It's crucial to remember that service policies only define what entities can access a resource but not their permissions within the client account's IAM system. In other words, while the repository policy permits access, the IAM system within Account 2222222222 must grant permissions for ECR actions. The IAM policy is quite similar to the repository policy, except you replace "Principal" with "Resources." This policy should also allow the IAM entity to obtain an authorization token for docker login:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowAccessToExampleRepo",
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Resource": [
"arn:aws:ecr:us-east-1:1111111111:repository/example"
]
}, {
"Sid": "AllowLogin",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": ["*"]
}]
}
This policy grants access to the example repository and allows the IAM entity to obtain an authorization token. Note that entities with power user or admin access may not require this level of granularity.
3. Obtaining ECR Credentials for Docker Login
To get ECR credentials for docker login, use the AWS CLI and specify the --registry-ids flag when invoking the ecr get-login command:
aws ecr get-login --registry-ids 1111111111
This command ensures that the ecr:GetAuthorizationToken call is made from the calling account (Account 2222222222 in this example), rather than the account where the repository is located (Account 1111111111). The registry IDs only affect the generated docker login command when using the AWS CLI.
In summary, this article clarifies the process of allowing access to ECR across different AWS accounts through repository policies, IAM entity permissions, and obtaining ECR credentials for docker login.
Comments
Post a Comment