How can I allow a secondary account to push or pull images in my Amazon ECR image repository?

Last updated: 2020-04-07

I want to allow a secondary account to push or pull images in my Amazon Elastic Container Registry (Amazon ECR) image repository.

Short Description

To push or pull images to or from an Amazon ECR repository in another account, you must create a policy that allows the secondary account to perform API calls against the repository. After you configure the permissions and obtain a token for the repository, you can push or pull images based on the actions allowed. The user who obtains the token also needs the relevant AWS Identity and Access Management (IAM) API permissions to modify the repository.

Resolution

Create a policy that allows the secondary account to perform API calls against the image repository

1.    Open the Amazon ECR console for your primary account.

2.    Select the name of the repository that you want to modify.

3.    From the navigation menu, choose Permissions.

4.    To add a repository policy for your secondary account from within your primary account, choose Edit policy JSON, enter your policy into the code editor, and then choose Save.

Important: In your policy, include the account number of the secondary account and the actions that the account can perform against the repository.

The following example repository policy allows IAM users within your account to push and pull images:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/push-pull-user-1",
                    "arn:aws:iam::123456789012:user/push-pull-user-2"
                ]
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
            ]
        }
    ]
}

The following example repository policy allows a specific account to push images:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountPush",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
            ]
        }
    ]
}

Get a temporary Docker authentication token from the secondary account

The secondary account can't perform the policy actions on the repository until it receives a required temporary authentication token that's valid for 12 hours. The token allows you to use Docker push and pull commands against the primary account's repository using a token generated from the secondary account.

1.    To get a Docker authentication token for an account that pushes and pulls images outside of Amazon ECS, run the following command using your primary account ID for the --registry-ids parameter:

aws ecr get-login --registry-ids 123456789012 --region us-east-1 --no-include-email

The preceding command returns a docker login command with the proper authorization tokens for Amazon ECR.

2.    Copy the output of the command in step 1, and then paste the output into your terminal environment. See the following example:

[root@mycomputer ~]# aws ecr get-login --registry-ids 123456789012 --region us-east-1 --no-include-email
docker login -u AWS -p eyJwYXlsb2FkIjoi....NUZCeTkydVU2b2R9 https://123456789012.dkr.ecr.us-east-1.amazonaws.com

[root@mycomputer ~]# docker login -u AWS -p eyJwYXlsb2FkIjoi....NUZCeTkydVU2b2R9 https://123456789012.dkr.ecr.us-east-1.amazonaws.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@mycomputer ~]#

3.    To use Amazon ECS to pull images from the repository, set the image in the task definition.

Note: The account that gets the token requires permissions for the necessary API calls in the repository account. For examples, see Amazon ECR Managed Policies. To troubleshoot issues with Docker, enable debug mode on your Docker daemon.


Did this article help you?

Anything we could improve?


Need more help?