AWS Greengrass v2 pull docker images from private a ECR registry in a different account

Question

Hi,

I am currently deploying docker images using **Greengrass Core v2 (GGC)** to my edge devices. The docker images and GGC devices are located in the same account. This is working fine with the help of the `aws.greengrass.DockerApplicationManager` and `aws.greengrass.TokenExchangeService` components.

Now, I was wondering if it is possible to **deploy or pull docker images** from a **private ECR Registry** in a **different AWS account** than the GGC device. I wouldn't currently know how and where to set appropriate permissions to allow this.

As a workaround, I would otherwise consider the approach of [cross-account replication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html). However, if there is a simpler way, I would be pleased to hear about it.

Thanks in advance!

Accepted Answer

Greengrass doesn't support this directly. Using the builtin Docker image pulling support that Greengrass provides, your image must be in the same account and region that the Greengrass device is registered in.

You _may_ be able to download the image yourself by using the appropriate commands in your component recipe, but not in a directly provided and supported way. See the ECR documentation for downloading images yourself: https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html

AWS Greengrass v2 pull docker images from private a ECR registry in a different account

관련 콘텐츠