Search code examples
amazon-web-servicesamazon-ec2amazon-ecr

How to access AWS ECR from another account's EC2 instance?

I have two accounts, a1 and a2.

I have an EC2 instance in a1, a1.ec2. It assumes some role in that account, a1.r. This role has full access to all ECR actions.

Now, I have an image registry (ECR) in a2 and would like to be able to access it from a1.ec2.

So, I ssh into that instance and in order to test the access I run

aws ecr describe-repositories --region <my-region> --registry-id <id of a2>

But I get the error

An error occurred (AccessDeniedException) when calling the DescribeRepositories operation: User: arn:aws:sts::<id of a1>:assumed-role/a1.r/i-075fad654b998275c is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:*:*:repository/*

However, this permission is indeed granted to the role a1.r. I verified this by being able to access an ECR in a1 just fine.

Also, the ECR I like to access has the following permission policies, so I make sure that the trouble is not caused by the ECR of a2:

    {
      "Sid": "new statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<id of a1>:root"
      },
      "Action": "*"
    },
    {
      "Sid": "new statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<id of a1>:role/a1.r"
      },
      "Action": "*"
    }

I had a look at https://serverfault.com/questions/897392/ecr-cross-account-pull-permissions where the solution appears to be to create cross-account roles. Although I could create such a role a2.cross-acc-r, I cannot figure out how I can assume that role for the the aws ecr cli commands. I do not want the EC2 instance to assume that role, as it resides in a different account (not even sure if that is possible at all).

Am I lacking something basic regarding how AWS IAM works?

Solution

  • If you want to pull and push images from one account's EC2 instance into another account's ECR, and do not need the full aws ecr CLI functionality, you can do so through docker. For example, if you want your Jenkins to push built images into ECRs based on the targeted environment (production, staging) residing in different AWS accounts.

    Doing so via docker is documented at https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/

    Put simply, in the ECR repository, you grant the other account the needed permissions.

    Then you get a temporary authentication token to authorize docker towards ECR via:

    $(aws ecr get-login --registry-ids <account ID> --region <your region> --no-include-email)

    After this, you can use docker pull and docker push to access it.