Cross Account ECR Image Sharing

0

Hello, I have a docker container in my ECR. I have adjusted access to this so that a specific root account (X) can use it to instantiate a lambda instance with a specific name. So once X instantiates the lambda, is there any way that he can view the content of my docker container?

This is the access policy in my ECR { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPushForLambda", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<ExtAccountID1>:root", "AWS": "arn:aws:iam::<ExtAccountID2>:root" }, "Action": "ecr:GetImage", "Condition": { "StringLike": { "aws:Referer": [ "arn:aws:lambda:<region>:<ExtAccountID1>:function:ExpectedLambdaFunctionName", "arn:aws:lambda:<region>:<ExtAccountID2>:function:ExpectedLambdaFunctionName" ] } }, "Resource": "arn:aws:ecr:<region>:<MyAccountID>:repository/<repository-name>" } ] }

已提問 1 年前檢視次數 420 次
1 個回答
0

Hi Avishka-Perera,

From my pov, to do cross-account access and pull images from ECR, you could allow it using AWS Account IDs. Please refer to my testing image below. I tried to pull it from the local machine or EKS cluster. Enter image description here

profile picture
Minh Le
已回答 1 年前
  • Hi Minh,

    Thank you for your response. Noted!

    By doing that, will the person with account id 435854034491 be able to download the docker container in my ECR? Is it possible to restrict them to using my docker container only to instantiate lambda functions and nothing more? I want to hide the content of my docker container, but allow them only to utilize the functionality.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南