Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Problems with cross account ECR permission

1

When trying to interact with an ECR registry, we are running in to permission problems. We've been beating our heads on this for some time, and have tried making the permissions as liberal as possible to troubleshoot what the problem is, but to no avail. We believe we're missing something very simple, but do not know what it is. Any suggestions would be appreciated. Below is the policy for our private registry in the web console.

{
  "Sid": "Organization-IA-Developers",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:sts::08xxxxxxxxxx:assumed-role/AWSReservedSSO_AWSAdministratorAccess_30xxxxxxxxxxxxxx/user@company.com"
  },
  "Action": "ecr:*",
  "Resource": "arn:aws:ecr:us-east-1:68xxxxxxxxxx:repository/*"
}

Here is the error message we receive:

Error reading manifest latest in
│ 68xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/web: denied: User: arn:aws:sts::08xxxxxxxxxx:assumed-role/AWSReservedSSO_AWSAdministratorAccess_30xxxxxxxxxxxxxx/user@company.com is not authorized to
│ perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-1:68xxxxxxxxxx:repository/inspire-web because no resource-based policy allows the ecr:BatchGetImage action"
Themen
Behälter
Tags
Amazon Elastischer Container-Registry (ECR)
Sprache
English
Sheetzam
gefragt vor 2 Jahren5092 Aufrufe
1 Antwort
0

Here is how we have set up our ECR permissions in our source account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPullTest",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRoleName"
        ]
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Keep in mind that you also need to give your ECS Task Execution Role permissions in your destination account to do a BatchGetImage against this registry like so:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
grahamschuckman
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt