Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Unable to access ECR repository from separate account via `docker pull`

I'm attempting to allow one AWS account (called "second" below) to pull an image in an ECR repository of another AWS account (called "first" below).

I'm following these documents:

  • https://docs.aws.amazon.com/AmazonECR/latest/userguide/RepositoryPolicyExamples.html (to set the permissions)
  • https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/ (to get the token)

I have added the following permissions to the ECR repository:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<second>:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Then I run this command: eval "$(aws ecr get-login --no-include-email --region us-east-1 --profile second --registry-ids <second> <first>)"

And I get this result:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

I changed the store to config.json temporarily just to make sure I could see that authentication was being added to the file as I expected, and it is:

{
        "auths": {
                "<second>.dkr.ecr.us-east-1.amazonaws.com": {
                        "auth": "<super long token>"
                },
                "<first>.dkr.ecr.us-east-1.amazonaws.com": {
                        "auth": "<super long token>"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.09.0 (darwin)"
        },
        "stackOrchestrator": "swarm"
}

Finally I run: docker pull <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>:<tag> and get this result:

Error response from daemon: pull access denied for <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>, repository does not exist or may require 'docker login'

I've triple checked all the account numbers are correct, the repo is definitely there. I'm able to pull it if I login in with the same get-login command but --profile first.

I'm not sure what else to try so that I can pull this image!

Changing the Principal in the ECR permissions to "AWS": "arn:aws:iam::<second>:user/<user>" doesn't make any difference.

like image 807
Libby Avatar asked Jan 08 '19 17:01

Libby


People also ask

How do I authenticate with ECR docker?

To authenticate Docker to an Amazon ECR registry with get-login-password, run the aws ecr get-login-password command. When passing the authentication token to the docker login command, use the value AWS for the username and specify the Amazon ECR registry URI you want to authenticate to.


1 Answers

I figured it out -- the IAM user in the "second" account had a policy attached that limited its ECR access. The policy was:

    {
        "Sid": "ECRAccess",
        "Effect": "Allow",
        "Action": "ecr:*",
        "Resource": "arn:aws:ecr:us-east-1:<second>:repository/<unrelated-repo>"
    }

So even though the ECR repository in the "first" account had permissions allowing the user access, the user's own account restricted its access to a single unrelated repository.

When I added another section with the first account's repository ARN:

    {
        "Sid": "FirstAccountECRAccess",
        "Effect": "Allow",
        "Action": "ecr:*",
        "Resource": "arn:aws:ecr:us-east-1:<first>:repository/<repo>"
    }

Then docker pull worked!

like image 145
Libby Avatar answered Oct 20 '22 01:10

Libby