By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS ECR allow roles from secondary account

0

I have an ECR in a prod account that I want to grant push access to from the dev role.

This is my current policy

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPushPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::account:role/rolename",
          "arn:aws:sts::account:assumed-role/rolename/instance",
          "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session"
        ]
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:GetRepositoryPolicy",
        "ecr:InitiateLayerUpload",
        "ecr:ListImages",
        "ecr:PutImage",
        "ecr:PutLifecyclePolicy",
        "ecr:SetRepositoryPolicy",
        "ecr:StartLifecyclePolicyPreview",
        "ecr:UploadLayerPart"
      ]
    }
  ]
}

Running aws sts get-caller-identity I can see I have the role checked out "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" but I do not have access to push.

I receive the following until timeout.

The push refers to repository [account.dkr.ecr.us-west-2.amazonaws.com/repo] 87e2ce75493a: Retrying in 4 seconds

My non-prod account does exist in us-east-1. but my login command specifies west.

task: [docker:ecr-login] aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin accpunt.dkr.ecr.us-west-2.amazonaws.com

Any ideas what may be my problem on this repo?

(this works with my production account so the registry is valid)

Also this works when I use my dev account and allow the user IAM

Topics
Security, Identity, & ComplianceContainersManagement & Governance
Tags
AWS Identity and Access ManagementAmazon Elastic Container Registry (ECR)AWS Account ManagementIAM Policies
Language
English
rePost-User-8752412
asked 2 years ago262 views
1 Answer
1

Have a look at this article. It provides the required steps to allow a secondary account to push or pull images from an ECR image repository.

https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/

Follow these steps carefully and make sure you that your secondary account has Amazon ECR permissions listed in "AmazonEC2ContainerRegistryPowerUser" managed policy. These permissions are required to pull or push from your primary account.

AWS
Michael
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content