How do I let a secondary account push or pull images in my Amazon ECR image repository?

4 minute read
0

I want to allow a secondary account to push or pull images in my Amazon Elastic Container Registry (Amazon ECR) image repository.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To push or pull images between an Amazon ECR repository in another account, first create a repository policy. That policy must allow the secondary account to perform API calls against the repository of the primary account.

Then, use a Docker authentication token generated from the secondary account to use push and pull commands against the primary account's repository.

Create a repository policy

Complete the following steps:

  1. Open the Amazon ECR console for your primary account.

  2. In the navigation pane, under Private registry, choose Repositories.

  3. Choose the repository that you want to modify.

  4. In the navigation pane, choose Permissions.

  5. Choose Edit policy JSON.

  6. Enter your policy into the code editor, and then choose Save.
    Important: In your policy, include the account number of the secondary account and the actions that the account can perform against the repository. To allow access to a specific role, provide the role arn as the principal. For example, AWS: arn:aws:iam::account-id:role/ecsInstanceRole. Before you save the repository policy, make sure that the role exists in the secondary account. If the role doesn't exist, then you receive an error similar to the following: invalid repository policy provided.
    The following example repository policy allows a specific account to push and pull images:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowPushPull",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::account-id:root"
          },
          "Action": [
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
            "ecr:PutImage",
            "ecr:InitiateLayerUpload",
            "ecr:UploadLayerPart",
            "ecr:CompleteLayerUpload"
          ]
        }
      ]
    }
  7. In the task definition, set the image that you want to use with Amazon ECS. Your image is hosted in the primary account's Amazon ECR repository.
    Note: Make sure that your secondary account has Amazon ECR permissions listed in the AmazonEC2ContainerRegistryPowerUser managed policy. These permissions are required to pull or push from your primary account.

Generate a temporary Docker authentication token

The secondary account can't perform policy actions on the repository until it receives a temporary authentication token that's valid for 12 hours. The token allows the secondary account to use Docker push and pull commands against the primary account's repository. The get-login-password command retrieves and decodes the authorization token. Then, use the authorization token to pipe into a docker login command to authenticate.

Note: The account that gets the token must have the relevant AWS Identify and Access Management (IAM) API permissions to modify the repository. For examples, see AWS managed policies for Amazon Elastic Container Registry. To troubleshoot issues with Docker, turn on debug mode on your Docker daemon.

Complete the following steps:

  1. To generate a Docker authentication token for an account that pushes and pulls images outside of Amazon ECS, run the get-login-password command:
    AWS CLI:

    aws ecr get-login-password --region regionID | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.regionID.amazonaws.com

    AWS Tools for Windows PowerShell:

    (Get-ECRLoginCommand).Password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.regionID.amazonaws.com

    Note: Replace aws_account_id with your primary account ID. Replace regionID with your AWS Region ID.

    You receive the following output:

    aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-south-1.amazonaws.com 
    
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    Login Succeeded
    
    or 
    
    Login Succeeded
  2. Perform a test image pull from or push to the primary account:

    docker pull AccountID.dkr.ecr.Region.amazonaws.com/RepositoryName:TagName

    Note: Replace AccountID and Region with your primary account ID and Region. Replace RepositoryName and TagName with your values.

  3. To validate that the image successfully downloaded, run the following command:

    docker images | grep ImageName

    Note: Replace ImageName with the name of your image.

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago