I want to allow a secondary account to be able to connect to my Amazon ECR image repository to push or pull images. How can I configure this?

To push or pull images to or from an ECR repository in another account, you must create a policy that allows the secondary account to perform those API calls against the repository. You can set this policy in the permissions tab for the repository in the Amazon ECS console. After you have configured the permissions and obtained a token for the repository, you will be able to push or pull images based on the actions allowed. The user that obtains the token also needs the relevant API permissions to be able to modify the repository.

To enable a secondary account to be able to pull or push images from or to your ECR repository, you must give the secondary account permissions to perform those actions.

  1. In the left navigation pane of the Amazon ECS console, choose Repositories.
  2. Click the name of the repository you want to modify.
  3. On the Permissions tab, choose Add.
  4. Fill in the specifics of the permissions, such as the account number of the secondary account and the actions that the account will be able to perform against the repository, and then choose Save.

For an example, see Example: Allow Other Accounts.

The secondary account will be able to perform those actions on the repository after they have the required temporary (12-hour) authentication token. When pulling and pushing images outside of ECS, you can obtain the Docker authentication token for that account with the following get-login command:

$(aws ecr get-login –-registry-ids <account_ID_of_repository> --region <region>)

The regular Docker push and pull commands are available by using the token. When using ECS to pull images from the repository, set the image in the task definition.

Note: In either case, the account that performs the token acquisition requires permissions for the necessary API calls in the repository account. For examples, see Amazon ECR Managed Policies.

For more troubleshooting, turn on Docker debugging; see Enabling Docker Debug Output.

Amazon EC2 Container Service (Amazon ECS), Amazon EC2 Container Registry (Amazon ECR), repository, cross-account

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-04