How can I allow a secondary account to push or pull images in my Amazon ECR image repository?

Last updated: 2021-02-16

I want to allow a secondary account to push or pull images in my Amazon Elastic Container Registry (Amazon ECR) image repository.

Resolution

You can push or pull images to or from an Amazon ECR repository in another account. First, you must create a policy that allows the secondary account to perform API calls against the repository. Then, use a Docker authentication token generated from the secondary account to use push and pull commands against the primary account's repository.

Create a policy that allows the secondary account to perform API calls against the image repository

1.    Open the Amazon ECR console for your primary account.

2.    Choose the hyperlinked Repository name of the repository that you want to modify.

3.    From the left navigation pane, under Amazon ECR - Repositories, choose Permissions.

4.    To add a repository policy for your secondary account from within your primary account, choose Edit policy JSON. Enter your policy into the code editor, and then choose Save.

Important: In your policy, include the account number of the secondary account and the actions that the account can perform against the repository.

The following example repository policy allows a specific account to push and pull images:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account-id:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
            ]
        }
    ]
}

5.    In the task definition, set the image that you want to use with Amazon ECS. Your image is hosted in the primary account's Amazon ECR repository.

Generate a temporary Docker authentication token from the secondary account and perform a test push or pull

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

The secondary account can't perform policy actions on the repository until it receives a temporary authentication token that's valid for 12 hours. The token allows the secondary account to use Docker push and pull commands against the primary account's repository. The get-login-password command retrieves and decodes the authorization token that you can then pipe into a docker login command to authenticate.

Note: The account that gets the token must have the relevant AWS Identify and Access Management (IAM) API permissions to modify the repository. For examples, see Amazon ECR managed policies. To troubleshoot issues with Docker, enable debug mode on your Docker daemon. This command is supported using the latest version of AWS CLI version 2, or in v1.17.10 or later of AWS CLI version 1. For more information, see get-login-password.

1.    To generate a Docker authentication token for an account that pushes and pulls images outside of Amazon ECS, run the following command. Replace aws_account_id with your primary account ID, and replace regionID with your Region ID.

Using the AWS CLI:

aws ecr get-login-password --region regionID | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.regionID.amazonaws.com

Using AWS Tools for Windows PowerShell:

(Get-ECRLoginCommand).Password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.regionID.amazonaws.com

You receive the following output:

aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-south-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
Login Succeeded

2.    Perform a test image pull or push to the primary account.


Did this article help?


Do you need billing or technical support?