Can you share a screenshot or information for Route53 Hosted Zone and Record how currently configured for PrivateLink's domain setup? Additionally, I would like to check the security group rules connected to PrivateLink.
Hi, Thanks for helping. Yes. I have everything setup in cfn so...
This is one of the Hosted Private zones (the dkr one, created in the SHARED resources account, where of course the ecr repos live):
PrivateHostedZoneEcrDkr:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: "Private hosted zone for ecr dkr vpc endpoint"
Name: "dkr.ecr.eu-west-1.amazonaws.com"
VPCs:
- VPCId: !FindInMap [Environments, !Ref Environment, VPC]
VPCRegion: !Sub ${AWS::Region}
HostedZoneTags:
- Key: ApplicationName
Value: !Ref ApplicationName
- Key: Availability
Value: !Ref Availability
- Key: ContactPerson
Value: !Ref ContactPerson
- Key: Environment
Value: !Ref Environment
- Key: Monitor
Value: !Ref Monitor
- Key: ProjectName
Value: !Ref ProjectName
The security group rules for the private link(dkr) and private link setup:
EcrDkrEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- "arn:aws:iam::5*********0:root" # NonPrd
- "arn:aws:iam::1*********3:root" # Prd
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
- ecr:BatchCheckLayerAvailability
- ecr:PutImage
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
Resource:
- !Sub "arn:aws:ecr:${AWS::Region}:289334807197:repository/*"
VpcId: !FindInMap [Environments, !Ref Environment, VPC]
VpcEndpointType: Interface
PrivateDnsEnabled: false
SecurityGroupIds:
- !GetAtt VPCESecurityGroup.GroupId
SubnetIds:
- !Select [
0,
!FindInMap [Environments, !Ref Environment, PrivateSubnets],
]
- !Select [
1,
!FindInMap [Environments, !Ref Environment, PrivateSubnets],
]
- !Select [
2,
!FindInMap [Environments, !Ref Environment, PrivateSubnets],
]
ServiceName:
Fn::Join:
- ""
- - "com.amazonaws."
- !Ref "AWS::Region"
- ".ecr.dkr"
VPCSecurityGroup:
VPCESecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub "vpc-endpoint-sg-${Environment}"
GroupDescription: "VPCE endpoint security group"
VpcId: !FindInMap [Environments, !Ref Environment, VPC]
SecurityGroupIngress:
- CidrIp: !FindInMap [Environments, !Ref Environment, CIDR]
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !FindInMap [Environments, "prd", CIDR]
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !FindInMap [Environments, "staging", CIDR]
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !FindInMap [Environments, "qa", CIDR]
FromPort: 443
IpProtocol: tcp
ToPort: 443
One more important thing probably. If I try to do a get-login on a ec2 I get this: is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no VPC endpoint policy allows the ecr:GetAuthorizationToken action However the ecr:GetAuthorizationToken is in the policy of the endpoints:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": [
"arn:aws:ecr:eu-west-1:289334807197:repository/*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::5***************0:root",
"arn:aws:iam::1***************3:root",
"arn:aws:iam::2***************7:root"
]
}
}
]
}
I've tried to add the SG for the Fargate cluster to the VPC Endpoints... Still no luck... I'm out of ideas fot the moment... So... Anyone?
Relevant questions
ECR Cross Account Private Link
asked 4 months agoCan you automate cross-account private CA certificate renewal through AWS RAM and ACM Private CA?
Accepted AnswerPrivate Link cross region cross account support
asked a month agoCross Region private link
Accepted Answerasked 6 months agoCross-account VPC connection using CDK
asked 5 months agoProblems with cross account ECR permission
asked 5 months agoCross-Account S3 for dags and Secrets Manager for connections
asked a year agoDeny cross account sharing for all AWS services
asked 2 months agoCentral ECR for ECS in multiple accounts
Accepted AnswerCloudWatch metrics and alarms Cross-account/Cross-Region with CloudFormation
asked 3 months ago