How can I allow a secondary account to push or pull images in my Amazon ECR image repository?

Last updated: 2020-09-28

I want to allow a secondary account to push or pull images in my Amazon Elastic Container Registry (Amazon ECR) image repository.

Short description

To push or pull images to or from an Amazon ECR repository in another account, you must create a policy that allows the secondary account to perform API calls against the repository. After you configure the permissions and obtain a token for the repository, you can push or pull images based on the actions allowed. The user who obtains the token also needs the relevant AWS Identity and Access Management (IAM) API permissions to modify the repository.

Resolution

Choose either option A or B.

(Option A) Create a policy that allows the secondary account to perform API calls against the image repository

1.    Open the Amazon ECR console for your primary account.

2.    Select the name of the repository that you want to modify.

3.    From the navigation menu, choose Permissions.

4.    To add a repository policy for your secondary account from within your primary account, choose Edit policy JSON, enter your policy into the code editor, and then choose Save.

Important: In your policy, include the account number of the secondary account and the actions that the account can perform against the repository.

The following example repository policy allows a specific account to push and pull images:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account-id:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
            ]
        }
    ]
}

5.    In the task definition, set the image that you want to use with Amazon ECS. Your image is hosted in the primary account's ECR repository.

(Option B) Use a temporary Docker authentication token from the secondary account to perform a test pull of the image from the primary account

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, be sure that you’re using the most recent version of the AWS CLI.

The secondary account can't perform the policy actions on the repository until it receives a required temporary authentication token that's valid for 12 hours. The token allows you to use Docker push and pull commands against the primary account's repository using a token generated from the secondary account. The AWS CLI get-login-password command simplifies this by retrieving and decoding the authorization token that you can then pipe into a docker login command to authenticate.

1.    To get a Docker authentication token for an account that pushes and pulls images outside of Amazon ECS, run the following command by substituting your primary account's ID and region for the region and aws_account_id.

Using the AWS CLI:

aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

Using AWS Tools for Windows PowerShell:

(Get-ECRLoginCommand).Password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

You receive the following output:

aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-south-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
Login Succeeded

2.    Perform a test image pull or push to the primary account.

Note: The account that gets the token requires permissions for the necessary API calls in the repository account. For examples, see Amazon ECR managed policies. To troubleshoot issues with Docker, enable debug mode on your Docker daemon. This command is supported using the latest version of AWS CLI version 2 or in v1.17.10 or later of AWS CLI version 1. For more information, see get-login-password.


Did this article help?


Do you need billing or technical support?