Passer au contenu
En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post
À propos de re:Post

Is ECR cross-account access allowed in GovCloud?

1

Does anyone know if ECR cross-account access is allowed in GovCloud? The Lambda doc (https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-lambda.html) states it's not possible, but the ECR doc (https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ecs.html) doesn't mention it either way. I know we recently launched cross-account/region support for ECR replication in GovCloud, but not sure about cross-account access for image sharing

Sujets
Conteneurs
Balises
Registre de conteneurs élastique Amazon (ECR)
Langue
English
demandé il y a 4 mois94 vues
2 réponses
6
Réponse acceptée

Yes but you need to watch out for:

  • Repository policies must be explicit: You’ll need to enumerate account IDs in your ECR repository policy to grant access.
  • Lambda service principal quirks: Lambda accesses ECR as a service principal, so aws:PrincipalOrgID conditions won’t work — you’ll need to use aws:sourceArn and service-specific conditions.
  • GovCloud limitations: Public registries and pull-through cache rules are not supported in GovCloud.
EXPERT
répondu il y a 4 mois
1
  • ECR repositories in GovCloud support resource-based policies, so you can share images across GovCloud accounts.
  • However, Lambda in GovCloud does NOT support pulling images cross-account, even if ECR allows it.
  • For cross-account usage, you’d either: replicate images to the other account’s ECR repo, or use ECS or other services that support pulling images cross-account (and have correct IAM permissions).
répondu il y a 4 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Contenus pertinents