By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Problems with cross account ECR permission

1

When trying to interact with an ECR registry, we are running in to permission problems. We've been beating our heads on this for some time, and have tried making the permissions as liberal as possible to troubleshoot what the problem is, but to no avail. We believe we're missing something very simple, but do not know what it is. Any suggestions would be appreciated. Below is the policy for our private registry in the web console.

{
  "Sid": "Organization-IA-Developers",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:sts::08xxxxxxxxxx:assumed-role/AWSReservedSSO_AWSAdministratorAccess_30xxxxxxxxxxxxxx/user@company.com"
  },
  "Action": "ecr:*",
  "Resource": "arn:aws:ecr:us-east-1:68xxxxxxxxxx:repository/*"
}

Here is the error message we receive:

Error reading manifest latest in
│ 68xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/web: denied: User: arn:aws:sts::08xxxxxxxxxx:assumed-role/AWSReservedSSO_AWSAdministratorAccess_30xxxxxxxxxxxxxx/user@company.com is not authorized to
│ perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-1:68xxxxxxxxxx:repository/inspire-web because no resource-based policy allows the ecr:BatchGetImage action"
Topics
Containers
Tags
Amazon Elastic Container Registry (ECR)
Language
English
Sheetzam
asked 2 years ago4987 views
1 Answer
0

Here is how we have set up our ECR permissions in our source account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPullTest",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRoleName"
        ]
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Keep in mind that you also need to give your ECS Task Execution Role permissions in your destination account to do a BatchGetImage against this registry like so:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
grahamschuckman
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content