pull container from private registry in separate account in AWS ECS

0
votes

How can I get my ECS Fargate cluster to pull a container from a private Docker registry that is in another AWS account? If the private Docker registry is in the same account I don't need authentication but I get CannotPullContainerError: Error response from daemon: pull access denied for <account id>.dkr.ecr.ap-southeast-2.amazonaws.com/project/container, repository does not exist or may require 'docker login'

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html talks about authentication and private registries but doesn't seem to mention my use case of an ECR in another AWS account. It looks like I can add access to a defined list of AWS accounts in the ECR permissions but possibly there are other approaches? The passwords that generated for ECR only seem to last for 12 hours so that won't work.

1
amazon-web-servicesamazon-ecsamazon-ecr
You need to grant a policy for it to work: docs.aws.amazon.com/AmazonECR/latest/userguide/…. Also more information: aws.amazon.com/premiumsupport/knowledge-center/… - dannymintz8
Yeah as far as I could see adding accounts to the ECR permissions seemed like the best way to do this (and possibly the only way?). - tschumann

1 Answers

1
votes

In the account running your fargate service the task execution role specified in your task definition should have permissions to pull an image.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage"
        ],
        "Resource": "arn:aws:ecr:eu-west-1:<account id>:repository/project",
        "Effect": "Allow"
    },
    {
        "Action": "ecr:GetAuthorizationToken",
        "Resource": "*",
        "Effect": "Allow"
    }

]}

And in the account containing the ECR you should specify in ecr policy that the account containing the task execution role is allowed to access the repository. In the ecr policy below the whole account is added which might be a bit much security wise but that something you can tighten.

{ "Version": "2008-10-17", "Statement": [ { "Sid": "PullImage", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:root" }, "Action": [ "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:GetRepositoryPolicy", "ecr:ListImages" ] } ] }