23

I have 2 AWS accounts: - account A that has an ECR repo. - account b that has an ECS cluster running Fargate.

I have created a "cross-account" role in account A with trust relations to account B, also I have attached the "AmazonEC2ContainerRegistryPowerUser" policy to this role.

I gave access to the ECR repository in account A by adding account B's id and the "cross-account" role to the repository policy.

I attached a policy to the fargate "TaskExecutionRole" allowing fargate to assume the "cross-account" role.

When trying to deploy a Fargate task in account B with a reference to an image in account A I'm getting a 500 error.

Anthony Khodr
  • 231
  • 1
  • 2
  • 3
  • 500 means Internal Server Error and not permissions error. Are you sure the pull is correct? I have seen a 500 error with too many layers, too big and with naming problems but not with cross account access. – John Hanley Oct 22 '18 at 06:43

1 Answers1

42

Fargate will not automatically assume a cross-account role. Fortunately, you do not need to assume a role in another account in order to pull images from that account's ECR repository.

To enable cross-account access to an image in ECR, add access for account B in account A's repository (by setting the repository policy), and then specify a TaskExecutionRole in account B that has permissions to pull from ECR ("ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability").

For example, set a repository policy on the repository in account A like the following:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_B_ID:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage"
      ]
    }
  ]
}

Then, set your TaskExecutionRole in account B to have a policy like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    }
  ]
}

Alternately, you can use the managed policy AmazonECSTaskExecutionRolePolicy for your TaskExecutionRole instead of defining your own.

Samuel Karp
  • 4,373
  • 22
  • 34
  • 2
    Samuel’s answer is excellent. If anyone however tries to limit the resources to specific repositories, please keep the GetAuthorizationToken action applicable to all resources. It was a pain to realize, but it is document here: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html – x16forest Jun 20 '19 at 00:25
  • Why do these two policies use different `Version`s? – kbolino Jun 19 '23 at 19:23