AWS ECR for cross account

Taegu KangTaegu Kang
1 min read
  • outline

We can use private ECR over cross account safely, using AWS IAM.

  • how-to

Source AWS Account

  • AWS ECR >> Select "Repositoty" >> Permissions >> Edit policy JSON

  • IAM Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPushPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::account-id:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload"
      ]
    }
  ]
}

Destination AWS Account

  • Have permission for ECR pull

  • Use Pull command on Source AWS Account ECR

  • reference

https://repost.aws/knowledge-center/secondary-account-access-ecr

0
Subscribe to my newsletter

Read articles from Taegu Kang directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWS ECR for cross accountAWS ECRaws-cross-accountIAM

Written by

Taegu Kang
Taegu Kang