Skip to content

miztiik/cross-account-ecr-access-control

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
images
images
 
 
README.MD
README.MD
 
 

Repository files navigation

Grant access to another AWS Account B to pull or push images to Account A ECR Repo

To allow AWS Account B to be able to connect to Account A ECR image repository to push or pull images, you must create a policy that allows the secondary account to perform those API calls against the repository.

Fig : Tag-Based ECR Access Control

Follow this article in Youtube

  1. Prerequisites

    • Ensure you have tagged the repositories in Account A
      • Minimum of one repository with atleast the following tag,
      • TagKey: Team
      • TagValue: Payments
    • Account B user(ex: devusr2) with AWS CLI access
    • Note down Account A & B IDs

  2. Set Repo Permissions Policy in Account A

    The following policy allows user devusr2 to push and pull images to a repo which has the tagkey Team and its value as Payments. As this policy is assigned to only to the particular repo, the user will not get access to any other repo

    {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "ecr:GetAuthorizationToken",
          "ecr:BatchCheckLayerAvailability",
          "ecr:GetDownloadUrlForLayer",
          "ecr:GetRepositoryPolicy",
          "ecr:DescribeRepositories",
          "ecr:ListImages",
          "ecr:DescribeImages",
          "ecr:BatchGetImage",
          "ecr:InitiateLayerUpload",
          "ecr:UploadLayerPart",
          "ecr:CompleteLayerUpload",
          "ecr:PutImage"
        ],
        "Condition": {
          "StringLike": {
            "aws:ResourceTag/Team": "Payments"
          }
        },
        "Principal": {
          "AWS": [
            "arn:aws:iam::YOUR-ACCOUNT-B-ID:user/devusr2"
          ]
        },
        "Sid": "AllowCrossAccountPushAndPull"
      }
    ]
  }

  3. Verifying Access from devusr2@Account B

    From the terminal with AWS CLI configured with devusr2 credentials as profile dev-acc run the following,

    1. Get ECR Credentials Change the YOUR-ACCOUNT-A-ID & dev-acc 
      $(aws ecr get-login --registry-ids YOUR-ACCOUNT-A-ID --no-include-email --region eu-central-1 --profile dev-acc)
    2. Prepare Docker Image Change the repo name my-first-repo & image my-first-repo:latest to suit your environment 
      docker tag my-first-repo:latest YOUR-ACCOUNT-A-ID.dkr.ecr.eu-central-1.amazonaws.com/my-first-repo:v1
    3. Push Image to Repo Change the repo name my-first-repo to suit your environment 
      docker push YOUR-ACCOUNT-A-ID.dkr.ecr.eu-central-1.amazonaws.com/my-first-repo:v1

Support

Please open a GitHub issue.

Feedback

Please open a GitHub issue. I do encourage you to contribute your changes and send me pull request.

References

  1. AWS Answers - Grant Cross Account Access

  2. AWS Blogs - Tagging Repositories on ECR

  3. AWS Blogs - Tag-Based Access Control

About

Allow AWS Account B to be able to connect to Account A ECR image repository to push or pull images

www.udemy.com/course/aws-cloud-development-kit-from-beginner-to-professional/?referralCode=E15D7FB64E417C547579&couponCode=AWS_4U_MAY

Topics

aws security control access tag ecr cross-account

Resources

Readme
Activity

Stars

7 stars

Watchers

1 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published