Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

Is ECR cross-account access allowed in GovCloud?

1

Does anyone know if ECR cross-account access is allowed in GovCloud? The Lambda doc (https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-lambda.html) states it's not possible, but the ECR doc (https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ecs.html) doesn't mention it either way. I know we recently launched cross-account/region support for ECR replication in GovCloud, but not sure about cross-account access for image sharing

Temas
Contenedores
Etiquetas
Amazon Elastic Container Registry (ECR)
Idioma
English
preguntada hace 4 meses92 visualizaciones
2 Respuestas
6
Respuesta aceptada

Yes but you need to watch out for:

  • Repository policies must be explicit: You’ll need to enumerate account IDs in your ECR repository policy to grant access.
  • Lambda service principal quirks: Lambda accesses ECR as a service principal, so aws:PrincipalOrgID conditions won’t work — you’ll need to use aws:sourceArn and service-specific conditions.
  • GovCloud limitations: Public registries and pull-through cache rules are not supported in GovCloud.
EXPERTO
respondido hace 4 meses
1
  • ECR repositories in GovCloud support resource-based policies, so you can share images across GovCloud accounts.
  • However, Lambda in GovCloud does NOT support pulling images cross-account, even if ECR allows it.
  • For cross-account usage, you’d either: replicate images to the other account’s ECR repo, or use ECS or other services that support pulling images cross-account (and have correct IAM permissions).
respondido hace 4 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante