ECR cross-account pull permissions

amazon-web-services amazon-ecs

Solution 1:

You also need to configure permissions in the ECR for cross account access. To give pull access to the ECR of Account A to Account B, put the following JSON policy in the ECR Permissions tab.

{
    "Version": "2008-10-17",
    "Statement": [
      {
        "Sid": "AllowCrossAccountPull",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::aws_account_b_number:root"
        },
        "Action": [
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchCheckLayerAvailability",
          "ecr:BatchGetImage"
        ]
      }
    ]
  }

enter image description here

Solution 2:

You need to setup a cross account role for Account b to assume.

Create the cross account role in the account that has the Registry, A, give access to the registry in the role. And give the Account B the permissions to assume that role.

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

Related

How to setup a central repository on a Windows 2008 server
SVN client authentication error
Second Level Subdomain DNS Wildcard
Check public DNS health and RFC compliance
Looking for an open source email archiving application [closed]
VirtualBox - use in small office and backing up
Is there a web-based log-tailing application? [closed]
What are pros and cons of logrotate vs rotatelogs with Apache?
HP Universal Print Drivers Incredibly Slow
How to restore a SQL Server database and shrink its files at the same time?
Apache error log with PHP errors
Is there a service that will redirect your naked domain.com requests to www.domain.com? [closed]