13

We have two AWS accounts. Account A has ECR repositories and Account B is meant to be able to pull from them.

I have tried setting the repository permission statements in Account A to allow pulling from Account B but AWS claims my policy is not valid.

I have tried:

  • Setting the principal to be the account number of Account B. This results in the error Your permission statements have one or more invalid parameters. Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
  • Setting the principal to the ARN of the root user in Account B (arn:aws:iam::1234567891011:root). This results in the error The service name arn:aws:iam::1234567891011:root is invalid. A valid service name format is [service].amazonaws.com.
  • Setting the principal to the ARN of an IAM user in Account B. Same error as above.

The above have been done through the AWS console which does not allow editing the JSON directly for ECR permissions. I have tried the CLI command aws ecr set-repository-policy with the above changes but the same errors were returned in the terminal.

Adding permissions for IAM users within the same account works just fine.

The actions I have tried to add under the policy are:

        "Action": [
            "ecr:BatchGetImage",
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetRepositoryPolicy",
            "ecr:ListImages",
            "ecr:DescribeRepositories"
        ]

Any ideas what I might be doing wrong?

Amandil
  • 351
  • 1
  • 2
  • 7

2 Answers2

8

You also need to configure permissions in the ECR for cross account access. To give pull access to the ECR of Account A to Account B, put the following JSON policy in the ECR Permissions tab.

{
    "Version": "2008-10-17",
    "Statement": [
      {
        "Sid": "AllowCrossAccountPull",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::aws_account_b_number:root"
        },
        "Action": [
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchCheckLayerAvailability",
          "ecr:BatchGetImage"
        ]
      }
    ]
  }

enter image description here

Razan Paul
  • 211
  • 2
  • 5
1

You need to setup a cross account role for Account b to assume.

Create the cross account role in the account that has the Registry, A, give access to the registry in the role. And give the Account B the permissions to assume that role.

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

strongjz
  • 822
  • 4
  • 7