15

I've two accounts: Account A and Account B. I would like to run an image from ECR at Account A on EKS on Account B.

I'm a bit confused on how to give the EKS the permissions. At first I thought of creating a docker-registry in the EKS with User role. But, as I read more I understood that it's not the way.

Have anyone tried it before?

ElinN
  • 153
  • 1
  • 1
  • 5

2 Answers2

17

First, your EKS needs to have IAM permissions to do these operations as if they were performed agains ECR in the same account.

Second, you need to allow the other account to access the ECR repository. You can do this by logging into management console of the account that hosts the ECR. Go to ECR -> click on the repository that you want to make accessible by the other account -> on the left panel, click on permissions -> click edit -> click add statement -> fill in AWS account IDs - optional field with the account number of your second account, leave the rest untouched -> click save

Matus Dubrava
  • 13,637
  • 2
  • 38
  • 54
  • That actually worked. I already have a role but the permissions on the repository were the missing part. – ElinN Aug 01 '19 at 13:57
  • 3
    Is there a way to give permission to access all ECR repos in the account, rather than having to give permission for each repository? – Nathan A Jun 17 '20 at 14:02
  • @NathanA thats the funniest portion with AWS, they dont have a way to manage for all the repo in the registry. How did you manage it. i am also with the same situation – Ysak Sep 23 '21 at 17:52
  • @Ysak In my case, we ended up managing all the repos using Pulumi (though Formation or Terraform would work just as well). Using Pulumi, and a single repo configuration, we create multiple ECR repos with the same access permissions. Redundant, yes, but much easier to manage than doing it all manually. – Nathan A Sep 23 '21 at 19:44
  • Thanks, I would probably have never have discovered that ECR needs a permission policy as well x_x – Darragh Enright Mar 23 '23 at 18:02
1

It pays to remember that AWS applies an Explicit Deny access policy by default. This translates to "Anything coming IN or going OUT needs to be explicitly allowed".

If you want to provide access to a specific ECR repository it can be achieved in the following manner:

  1. Create a resource policy on Account A

Note the Principal field granting access to the role in Account B.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_B_ID>:role/<ROLE_NAME>"
      },
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:BatchGetImage",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:ListTagsForResource",
        "ecr:DescribeImageScanFindings" 
      ]
    }
  ]
}
  1. Create a permission policy in Account B

For the ROLE_NAME specified above the following permission policy needs to be added otherwise on an access attempt from Account B you will get a 403 Forbidden. This policy satisfies the outbound access constraint for Account B.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPullFromECRFooRepo"
            "Effect": "Allow",
            "Action": [
                 "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings" 
            ],
            "Resource": "<ACCOUNT_A_ID>.dkr.ecr.<REGION>.amazonaws.com/foo/*"

        }
    ]
}
kaizenCoder
  • 2,211
  • 6
  • 33
  • 64