Is ECR cross-account access allowed in GovCloud?

Question

Does anyone know if ECR cross-account access is allowed in GovCloud? The Lambda doc (https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-lambda.html) states it's not possible, but the ECR doc (https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ecs.html) doesn't mention it either way. I know we recently launched cross-account/region support for ECR replication in GovCloud, but not sure about cross-account access for image sharing

Kidd Ip · Accepted Answer

Yes but you need to watch out for:

* Repository policies must be explicit: You’ll need to enumerate account IDs in your ECR repository policy to grant access.
* Lambda service principal quirks: Lambda accesses ECR as a service principal, so aws:PrincipalOrgID conditions won’t work — you’ll need to use aws:sourceArn and service-specific conditions.
* GovCloud limitations: Public registries and pull-through cache rules are not supported in GovCloud.

Avinash Shashikant Dalvi · Answer

* ECR repositories in GovCloud support resource-based policies, so you can share images across GovCloud accounts.
* However, Lambda in GovCloud does NOT support pulling images cross-account, even if ECR allows it.
* For cross-account usage, you’d either: replicate images to the other account’s ECR repo, or use ECS or other services that support pulling images cross-account (and have correct IAM permissions).

Is ECR cross-account access allowed in GovCloud?

回答を追加する

関連するコンテンツ