- Newest
- Most votes
- Most comments
Alright, so this is really strange but I do have it working.
Taking a look at other questions and at aws ecr get-login-password help
, that command does something fairly unexpected. You cannot specify which ECR registry to generate a login password for, so the generation of the token is irrespective of which account you are in. This means that you simply generate the password in whatever account you are pulling from, and AWS associates that password with the IAM principal being used to generate it. In my case, this means that the role in the production account is bound to that password/identity, and then when we authenticate using docker login
, we target the artifacts account's registry, i.e.
# generate a login password from within the **production** account aws --profile mycompany-prod ecr get-login-password | \ # and log in using that password to the **artifacts** account's registry: \ docker login -u AWS --password-stdin ${ARTIFACTS_ACCOUNT_ID}.dkr.ecr.${ARTIFACTS_ACCOUNT_REGION}.amazonaws.com
For this to work, the IAM principal being used in aws ecr get-login-password
(i.e. the output of aws sts get-caller-identity
) must have the permission (in the production account) to ecr:GetAuthorizationToken
. My IAM principal is an IAM role prod-ecr-pull-role
, and this means I have to attach the following policy to it in that account:
{ "Statement": [ { "Action": "ecr:GetAuthorizationToken", "Effect": "Allow", "Resource": "*", "Sid": "AllowGetAuthToken" } ], "Version": "2012-10-17" }
Next, in the ECR account (in my case, the artifacts account), we must add the IAM role ARN (or any IAM principal from the production account you want to target) to the ECR repository policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPull", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::987654321098:role/prod-ecr-pull-role" }, "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:ListImages" ] } ] }
So to boil this down to a checklist:
- In the account which contains the IAM principal (user or role) which needs to pull across accounts from ECR, that IAM principal must have
ecr:GetAuthorizationToken
onResource: "*"
. This amounts to authentication. - In the account which contains the ECR repository, you must grant the appropriate
ecr:*
permissions to aPrincipal
of typeAWS
which gives the IAM principal ARN (e.g.arn:aws:iam::987654321098:role/prod-ecr-pull-role
) the ability to theecr:*
permissions you wish to grant. This amounts to authorization.
The implications of this are that ECR login passwords are globally identifiable across all AWS accounts and are bound to the IAM principal that generated them. Then, when docker login
occurs, AWS behind the scenes identifies the login password with that IAM principal, and then evaluates in the ECR repository policy whether that principal can take the specified actions.
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 months ago
please accept the answer if it was helpful