Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for pulling ECR images from another AWS account? #308

Closed
jhovell opened this issue Feb 10, 2016 · 11 comments

Comments

@jhovell
Copy link

commented Feb 10, 2016

I'm not sure if this is supposed to work or if I just have something misconfigured. I have set up some cross-account policies and roles which seem to be working based on a few boto and CLI test scripts. But it seems the ECS agent would need to be made aware of the cross account role and use sts assume role to be able to download from another account.

The error I get in ECS and Docker is misleading (404 not 403 or 401). Perhaps that is a sign this is actually supposed to work but Googling I can only find how to set up cross account access in general but nothing about ECS agent support

http://docs.aws.amazon.com/AmazonECR/latest/userguide/RepositoryPolicyExamples.html#IAM_allow_other_accounts

ECS agent log


Docker log


time="2016-02-10T07:27:39.052084026Z" level=error msg="HTTP Error" err="No such image: 111111111111.dkr.ecr.us-east-1.amazonaws.com/my-app:1.0 (tag: 1.0)" statusCode=404 

@dangrd

This comment has been minimized.

Copy link

commented Feb 10, 2016

Make sure you are using the latest version of the agent to ensure you have a version built with Amazon ECR support. Support was added in late December 2015 which handles Authentication to ECR.

After that the easiest way to do cross-account permissions with ECR is using repository policies following example from the document you linked above. This policy document is applied directly to an Amazon ECR Repository with no need for additional roles or temporary tokens. The Amazon ECS Agent using standard configuration uses the EC2 Instance Role to make calls to AWS. This should work fine to access cross-account registries. Make sure this role has the AmazonEC2ContainerServiceforEC2Role managed policy applied so that the agent has permissions to the Amazon ECR APIs.

I believe the 404 error here is a bit of a red herring. If the Docker client fails the attempt to pull the image the client falls back to the V1 API. Since Amazon ECR does not support Docker Registry V1 this reports a 404. I believe this behavior has been changed in Docker 1.10.

@jhovell

This comment has been minimized.

Copy link
Author

commented Feb 10, 2016

thank you @dangrd 👍 ... Adding a repository policy was what I needed to do. I didn't realize this couldn't be accomplished through cross account roles. Nice that this can be specified at the repository level as well.

In case it helps anyone my policy allows pulling from another account:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "CrossAccountPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}

@jhovell jhovell closed this Feb 10, 2016

@hamstah

This comment has been minimized.

Copy link

commented Jul 15, 2016

@jhovell Did you have to setup anything else to get it to work?

I'm having issue with my cross account setup too.

docker.errors.APIError: 500 Server Error: Internal Server Error ("denied: User: arn:aws:sts::XXXX:assumed-role/blah/i-bleh is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-1:YYYY:repository/ZZZZ")

I have the same policy as the one you have for the repo ZZZZ in account YYYY, with XXXX as my principal.

Not sure what the issue is

@karelbemelmans

This comment has been minimized.

Copy link

commented Aug 30, 2016

@hamstah I'm having the same issue as you had, did you find a solution for it?

@picwelltimjones

This comment has been minimized.

Copy link

commented Jan 5, 2017

Having trouble with cross-account pulls was resolved for one of our users once we had the user properly log in. If cross-account, the user needs to set the registry id to the id of the target account:

$(aws ecr get-login –registry-ids  <accountID_of_repository> --region <region>)
@AlexShuraits

This comment has been minimized.

Copy link

commented Jan 18, 2017

@karelbemelmans , @hamstah Same issue here. Did you succeed?

@hamstah

This comment has been minimized.

Copy link

commented Jan 18, 2017

Hey,

The following policy works for me, sorry I missed your comment @karelbemelmans

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "CrossAccountPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${cross_account_id}"
            },
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}

Note that the user needs to login with

aws ecr get-login

With both accounts after assuming the right credentials.
(I do it in boto too)
Let me know if that works, I have it working so it's definitely possible but might be an issue with auth.

@AlexShuraits

@AlexShuraits

This comment has been minimized.

Copy link

commented Jan 18, 2017

@hamstah Thanks for quick reply.
Is there a way to do "aws ecr get-login" on ESC service?
I am getting this error inside the service, I am not trying to pull the image on my local/remote machine.
I tried to connect to the machine where the service is trying to pull the image and the aws cli is even not installed there. I am using ECS-optimized AMI provided by Amazon.
I tried to allow every account with "Principal : *" and all the ecr actions inside, and I am still getting this error.

@samuelkarp

This comment has been minimized.

Copy link
Member

commented Jan 18, 2017

@AlexShuraits The ECS agent will perform the necessary steps to obtain an authorization token from ECR. Please ensure that you have the permissions necessary in both the repository policy of the account that owns the repository and in the IAM profile on your EC2 instance. Please see the documentation on repository policies and the documentation on permissions necessary for your EC2 IAM profile. If you're continuing to experience difficulties, please feel free to open a new issue.

@hamstah

This comment has been minimized.

Copy link

commented Jan 18, 2017

@AlexShuraits

This comment has been minimized.

Copy link

commented Jan 19, 2017

@samuelkarp @hamstah I have created new issue #675

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.