Cross Account ECR Image Sharing

Question

Hello,
I have a docker container in my ECR. I have adjusted access to this so that a specific root account (X) can use it to instantiate a lambda instance with a specific name. So once X instantiates the lambda, is there any way that he can view the content of my docker container?

This is the access policy in my ECR
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPushForLambda",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:::root",
        "AWS": "arn:aws:iam:::root"
      },
      "Action": "ecr:GetImage",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "arn:aws:lambda:::function:ExpectedLambdaFunctionName",
            "arn:aws:lambda:::function:ExpectedLambdaFunctionName"
          ]
        }
      },
      "Resource": "arn:aws:ecr:::repository/"
    }
  ]
}

Answer

Hi Avishka-Perera,

From my pov, to do cross-account access and pull images from ECR, you could allow it using AWS Account IDs.
Please refer to my testing image below. I tried to pull it from the local machine or EKS cluster.
![Enter image description here](/media/postImages/original/IM3KOQpxKlTDuOXD2MjlHJ1A)

Cross Account ECR Image Sharing

Relevant content