By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS PrivateLink

Sort by most recent
  • 1
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

ECR Cross Account Private Link

Hi All, Struggling for a couple of days already with the following: I've followed this guide: https://aws.amazon.com/blogs/networking-and-content-delivery/centralize-access-using-vpc-interface-endpoints/ I have setup AWS Organisations with all the separate Accounts like nonprd, prd, .... AND the Shared resources account.... CIDR for Shared: 10.40.0.0/16 CIDR for nonprd: 10.0.0.0/16 CIDR for prd: 10.1.0.0/16 In this shared resources account, I've created the 4 vpc endoints for ECR (Shared resources account holds our ecr docker repos for other accounts). logs,dkr,api and S3. I've setup VPC peering with my nonprd and prd account. I've created the route table entries so that all traffic is flowing from shared to the vpc-peering connections cidr and visa versa. The private dns option for the VPC Endpoints are disabled and manually created as private Route53 records. Exactly as the ecr domain. So I have 3 extra private records IN the SHARED resources account: * api.ecr.eu-west-1.amazonaws.com * dkr.ecr.eu-west-1.amazonaws.com * logs.eu-west-1.amazonaws.com I've create the alias record pointing to the private hosted zones. I've done the Associations for Route53 from all the VPC's in nonprd and prd. I CAN resolve the dns records. BUT... And now the problem arises... When I try to run the containers in my nonprd account in any of the vpc's there, my tasks are given one of the following errors: * ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::${AWS::AccountId}:assumed-rol... * ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post https://api.ecr.... The policy on the VPC endpoints (complete snippet from my cfn-template): ``` EcrApiEndpoint: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - "arn:aws:iam::51*******0:root" # NonPrd - "arn:aws:iam::1******3:root" # Prd - !Sub arn:aws:iam::${AWS::AccountId}:root Action: - ecr:BatchGetImage - ecr:GetAuthorizationToken - ecr:GetDownloadUrlForLayer - ecr:BatchCheckLayerAvailability - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload Resource: - !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*" VpcId: !FindInMap [Environments, !Ref Environment, VPC] VpcEndpointType: Interface PrivateDnsEnabled: false SecurityGroupIds: - !GetAtt VPCESecurityGroup.GroupId SubnetIds: - !Select [ 0, !FindInMap [Environments, !Ref Environment, PrivateSubnets], ] - !Select [ 1, !FindInMap [Environments, !Ref Environment, PrivateSubnets], ] - !Select [ 2, !FindInMap [Environments, !Ref Environment, PrivateSubnets], ] ServiceName: Fn::Join: - "" - - "com.amazonaws." - !Ref "AWS::Region" - ".ecr.api" ``` So the VPC endpoints run in the Private subnet of the SHARED resources account. The ecs fargate service/task also has the correct permissions (everything is working fine without the VPC endpoints). Can someone help... Please...
4
answers
0
votes
201
views
asked 4 months ago
  • 1
  • 12 / page