Skip to content

Pull image from AWS ECR of other account with EC2 IAM Role

AWS Account ECR Owner: 933747831396

Added IAM Role: CrossRoleForPuller

arn:aws:iam::933747831396:role/CrossRoleForPuller

Policies: AmazonEC2ContainerRegistryReadOnly

Trusted entities: The account Puller: 254184725579

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::254184725579:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Permissions on ECR repo

933747831396.dkr.ecr.us-east-1.amazonaws.com/testrepo

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "Allow PULL ",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::254184725579:root"          
        ]
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:ListImages",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Puller AWS Account: 254184725579

Created EC2 instances IAM role: ec2puller

Policies: AmazonEC2ContainerRegistryPowerUser

Trusted policy: (DEFAULT VALUE)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Tests

On Puller Account EC2 hosts : 254184725579

Check AWS identity

$ aws sts get-caller-identity
{
    "Account": "254184725579", 
    "UserId": "AROATWLUXDRFTIDVWT6QE:i-0c1028df1a09b668b", 
    "Arn": "arn:aws:sts::254184725579:assumed-role/ec2puller/i-0c1028df1a09b668b"
}

Get login

$ aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 933747831396.dkr.ecr.us-east-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /home/ec2-user/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Pull images

$ docker pull 933747831396.dkr.ecr.us-east-1.amazonaws.com/testrepo:latest
latest: Pulling from testrepo
29015087d73b: Pull complete 
0109a00d13bc: Pull complete 
d3caffff64d8: Pull complete 
Digest: sha256:e6d0a6d995c167bd339fa8b9bb2f585acd9a6e505a6b3fb6afb5fcbd52bbefb8
Status: Downloaded newer image for 933747831396.dkr.ecr.us-east-1.amazonaws.com/testrepo:latest
933747831396.dkr.ecr.us-east-1.amazonaws.com/testrepo:latest