AWS ECR Repository - How to copy images from one account and push to another account

Question

I have two accounts - Account A and Account B. In account A, I have a policy with a user from account B can interact with Account A. I have a repository in both accounts. Account B doesn't have a policy set ( Not sure if I need a policy for Account A to interact with it).

My question is how do I push ecr images from Account A into Account B. I would like a copy of Account A image into Account B. Is this possible.

score 38 · Accepted Answer · edited Dec 16 '20 at 15:48

38

This is not a currently supported feature of ECR so you would need to perform the following steps to migrate from one account to another:

aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com - Run this for the source account
docker pull $SOURCE_IMAGE:$VERSION - Pull the latest tag down to your local
docker tag $SOURCE_IMAGE:$VERSION $TARGET_IMAGE:$VERSION - Tag a new image based on the original source image
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com - Run this for the target account
docker push $TARGET_IMAGE:$VERSION - Push the docker image upto the target ECR account.

edited Dec 16 '20 at 15:48

Pablo Matias Gomez

6,614
7
38
72

answered Jul 10 '20 at 18:22

Chris Williams

32,215
4
30
68

Thank you! I will give it a go! – Paris Jul 10 '20 at 18:45
You need to add pipe before de docker login command, e.g.: `aws ecr get-login-password --region | docker login --username AWS --password-stdin .dkr.ecr..amazonaws.com` – Edenshaw Dec 07 '20 at 17:09
1

Oops, thanks for pointing out. Adjusted the comment @Edenshaw – Chris Williams Dec 07 '20 at 17:10
1

Note that while this is still the accepted answer (@paris), it is no longer accurate as AWS added this feature to ECR in December 2020. For more info, see https://stackoverflow.com/a/67671301/149428. – Taylor D. Edmiston Aug 17 '21 at 18:21
While CRR/CAR are great tools, this answer is still very relevant is you are interested in one-off deployments. – Diego Ferri Jun 06 '23 at 09:02

Adiii · Answer 2 · 2021-08-22T04:10:13.010

If you want to move all repositry from particularly region to another account (Destination account) then use below script.

It will list all repo from Account A
Pull an image from an account A one by one
Create Repo in Account B
Tag image
push image to account B

#!/bin/bash
TARGET_ACCOUNT_REGION="us-west-2"
DESTINATION_ACCOUNT_REGION="us-west-2"
DESTINATION_ACCOUNT_BASE_PATH="123456.dkr.ecr.$DESTINATION_ACCOUNT_REGION.amazonaws.com/"


REPO_LIST=($(aws ecr describe-repositories --query 'repositories[].repositoryUri' --output text --region $TARGET_ACCOUNT_REGION))
REPO_NAME=($(aws ecr describe-repositories --query 'repositories[].repositoryName' --output text --region $TARGET_ACCOUNT_REGION))


for repo_url in ${!REPO_LIST[@]}; do
        echo "star pulling image ${REPO_LIST[$repo_url]} from Target account"
        docker pull ${REPO_LIST[$repo_url]}


        # Create repo in destination account, remove this line if already created
        aws ecr create-repository --repository-name ${REPO_NAME[$repo_url]}
        docker tag   ${REPO_LIST[$repo_url]} $DESTINATION_ACCOUNT_BASE_PATH/${REPO_NAME[$repo_url]} 
        docker push $DESTINATION_ACCOUNT_BASE_PATH/${REPO_NAME[$repo_url]} 
done

Make sure you already obtain login token for both account or add these command in the script.

        aws ecr get-login-password --region $TARGET_ACCOUNT_REGION | docker login --username AWS --password-stdin ${REPO_LIST[$repo_url]}
        # destination account login, make sure profile set for accoutn destination
        aws ecr get-login-password --region $DESTINATION_ACCOUNT_REGION --profile destination_account | docker login --username AWS --password-stdin ${REPO_LIST[$repo_url]}

aws-cli-cheatsheet

Or you can use one of them

AWS cross-region replication
Cross account replication

Amazon ECR uses registry settings to configure features at the registry level. The private registry settings are configured separately for each Region. Currently, the only registry setting is the replication setting, which is used to configure cross-Region and cross-account replication of the images in your repositories

`docker pull ${REPO_LIST[$repo_url]}` I'm confused: won't that just pull the 'latest' image from each repo? Isn't the question how to copy all images from A to B? — Kutzi, Jan 06 '22 at 13:10

score 5 · Answer 3 · answered May 24 '21 at 11:28

5

cross Region/account Replication feature in AWS

AWS has launched CRR (Cross Region Replication) and CAR (cross account replication)Click here for more info

answered May 24 '21 at 11:28

Ravi Rathnam

111
1
2
7

Hernán Lalli · Answer 4 · 2022-09-23T17:25:16.550

0

AWS ECR Cross Region/Account Replication Feature allows replication of NEW objects. If you had an existing repository and wanted to replicate all its objects to another region/account Chris's answer is still the right one.

More Details: https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html#replication-considerations

edited Sep 23 '22 at 17:25

answered Sep 23 '22 at 17:22

Hernán Lalli

1
1

AWS ECR Repository - How to copy images from one account and push to another account

4 Answers4