Menu
I'm attempting to allow one AWS account (called "second" below) to pull an image in an ECR repository of another AWS account (called "first" below).
I'm following these documents:
I have added the following permissions to the ECR repository:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<second>:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
Then I run this command: eval "$(aws ecr get-login --no-include-email --region us-east-1 --profile second --registry-ids <second> <first>)"
And I get this result:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
I changed the store to config.json temporarily just to make sure I could see that authentication was being added to the file as I expected, and it is:
{
"auths": {
"<second>.dkr.ecr.us-east-1.amazonaws.com": {
"auth": "<super long token>"
},
"<first>.dkr.ecr.us-east-1.amazonaws.com": {
"auth": "<super long token>"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.0 (darwin)"
},
"stackOrchestrator": "swarm"
}
Finally I run: docker pull <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>:<tag> and get this result:
Error response from daemon: pull access denied for <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>, repository does not exist or may require 'docker login'
I've triple checked all the account numbers are correct, the repo is definitely there. I'm able to pull it if I login in with the same get-login command but --profile first.
I'm not sure what else to try so that I can pull this image!
Changing the Principal in the ECR permissions to "AWS": "arn:aws:iam::<second>:user/<user>" doesn't make any difference.
807
To authenticate Docker to an Amazon ECR registry with get-login-password, run the aws ecr get-login-password command. When passing the authentication token to the docker login command, use the value AWS for the username and specify the Amazon ECR registry URI you want to authenticate to.
I figured it out -- the IAM user in the "second" account had a policy attached that limited its ECR access. The policy was:
{
"Sid": "ECRAccess",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "arn:aws:ecr:us-east-1:<second>:repository/<unrelated-repo>"
}
So even though the ECR repository in the "first" account had permissions allowing the user access, the user's own account restricted its access to a single unrelated repository.
When I added another section with the first account's repository ARN:
{
"Sid": "FirstAccountECRAccess",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "arn:aws:ecr:us-east-1:<first>:repository/<repo>"
}
Then docker pull worked!
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With