Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS ECS Fargate pull image from a cross account ECR repo

Tags:

amazon-web-services

aws-ecr

amazon-ecs

I have 2 AWS accounts: - account A that has an ECR repo. - account b that has an ECS cluster running Fargate.

I have created a "cross-account" role in account A with trust relations to account B, also I have attached the "AmazonEC2ContainerRegistryPowerUser" policy to this role.

I gave access to the ECR repository in account A by adding account B's id and the "cross-account" role to the repository policy.

I attached a policy to the fargate "TaskExecutionRole" allowing fargate to assume the "cross-account" role.

When trying to deploy a Fargate task in account B with a reference to an image in account A I'm getting a 500 error.

like image 518
Anthony Khodr Avatar asked Oct 21 '18 11:10

Anthony Khodr

People also ask

How do I copy a Docker image from one ECR to another?

In order to transfer a Docker image from one server to another, what you need to do is first export the image to a file, then copy that file over from your current server to the new one using scp or rsync and finally load the image to your new server.

1 Answers

Fargate will not automatically assume a cross-account role. Fortunately, you do not need to assume a role in another account in order to pull images from that account's ECR repository.

To enable cross-account access to an image in ECR, add access for account B in account A's repository (by setting the repository policy), and then specify a TaskExecutionRole in account B that has permissions to pull from ECR ("ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability").

For example, set a repository policy on the repository in account A like the following:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_B_ID:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage"
      ]
    }
  ]
}

Then, set your TaskExecutionRole in account B to have a policy like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    }
  ]
}

Alternately, you can use the managed policy AmazonECSTaskExecutionRolePolicy for your TaskExecutionRole instead of defining your own.

like image 187
Samuel Karp Avatar answered Oct 05 '22 13:10

Samuel Karp
Sign in to Comment

Related questions

Terraform - Conditional Data Source
Example of .net application using Amazon SQS
Trigger AWS CloudWatch Event Manually
uninitialized constant AWS::S3::Base via AWS-SDK
Run multiple instances of RStudio in a web browser
AWS EMR - IntelliJ Remote Debugging Spark Application
How to integrate terraform with atlassian/localstack?
Get number of messages in an Amazon SQS Queue
Terraform throws "groupName cannot be used with the parameter subnet" or "VPC security groups may not be used for a non-VPC launch"
AWS - import JSON file to load Dynamo table
SQS triggers Lambda with multiple records/messages?
AWSLogs Resource Limit Exceeded - serverless `cloudwatchLog` event
AWS cloudwatch is truncating logs
Connect to AWS RDS Postgres database with python
Install Wildcard Certificate onto AWS EC2 Load Balancer
Java Date to milliseconds
How can I get current date in a CloudFormation script?
AWS ElastiCache vs RDS ReadReplica
AWS was not able to validate the provided access credentials
Customizing Nginx Configuration in AWS Elastic Beanstalk

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!