I want to allow a secondary account to be able to connect to my Amazon Elastic Container Registry (Amazon ECR) image repository to push or pull images. How can I configure this?

To push or pull images to or from an ECR repository in another account, you must create a policy that allows the secondary account to perform those API calls against the repository. You can set this policy in the permissions tab for the repository in the Amazon Elastic Container Service (Amazon ECS) console. After you configure the permissions and obtain a token for the repository, you can push or pull images based on the actions allowed. The user who obtains the token also needs the relevant API permissions to modify the repository.

To enable a secondary account to pull or push images from or to your ECR repository, you must give the secondary account permissions to perform those actions.

  1. In the left navigation pane of the Amazon ECS console, choose Repositories.
  2. Select the name of the repository you want to modify.
  3. On the Permissions tab, choose Add.
  4. Fill in the specifics of the permissions, such as the account number of the secondary account and the actions that the account can perform against the repository, and then choose Save. For an example, see Example: Allow Other Accounts. The secondary account can perform those actions on the repository after they have the required temporary (12-hour) authentication token. When pulling and pushing images outside of Amazon ECS, you can obtain the Docker authentication token for that account with the following get-login command:
$aws ecr get-login --registry-ids <account_ID_of_repository> --region <region>

The regular Docker push and pull commands are available by using the token. When using Amazon ECS to pull images from the repository, set the image in the task definition. Note: In either case, the account that performs the token acquisition requires permissions for the necessary API calls in the repository account. For examples, see Amazon ECR Managed Policies. For more troubleshooting, turn on Docker debugging; see Enabling Docker Debug Output.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-04

Updated: 2018-07-23