-
Notifications
You must be signed in to change notification settings - Fork 608
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for pulling ECR images from another AWS account? #308
Comments
Make sure you are using the latest version of the agent to ensure you have a version built with Amazon ECR support. Support was added in late December 2015 which handles Authentication to ECR. After that the easiest way to do cross-account permissions with ECR is using repository policies following example from the document you linked above. This policy document is applied directly to an Amazon ECR Repository with no need for additional roles or temporary tokens. The Amazon ECS Agent using standard configuration uses the EC2 Instance Role to make calls to AWS. This should work fine to access cross-account registries. Make sure this role has the I believe the 404 error here is a bit of a red herring. If the Docker client fails the attempt to pull the image the client falls back to the V1 API. Since Amazon ECR does not support Docker Registry V1 this reports a 404. I believe this behavior has been changed in Docker 1.10. |
thank you @dangrd 👍 ... Adding a repository policy was what I needed to do. I didn't realize this couldn't be accomplished through cross account roles. Nice that this can be specified at the repository level as well. In case it helps anyone my policy allows pulling from another account: {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "CrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
}
]
} |
@jhovell Did you have to setup anything else to get it to work? I'm having issue with my cross account setup too.
I have the same policy as the one you have for the repo ZZZZ in account YYYY, with XXXX as my principal. Not sure what the issue is |
@hamstah I'm having the same issue as you had, did you find a solution for it? |
Having trouble with cross-account pulls was resolved for one of our users once we had the user properly log in. If cross-account, the user needs to set the registry id to the id of the target account:
|
@karelbemelmans , @hamstah Same issue here. Did you succeed? |
Hey, The following policy works for me, sorry I missed your comment @karelbemelmans
Note that the user needs to login with
With both accounts after assuming the right credentials. |
@hamstah Thanks for quick reply. |
@alexshuraits The ECS agent will perform the necessary steps to obtain an authorization token from ECR. Please ensure that you have the permissions necessary in both the repository policy of the account that owns the repository and in the IAM profile on your EC2 instance. Please see the documentation on repository policies and the documentation on permissions necessary for your EC2 IAM profile. If you're continuing to experience difficulties, please feel free to open a new issue. |
Ah yes, I replied assumed general pull not from.ecs sorry.
I also didn't include the repo policy, will do tomorrow
…On 18 Jan 2017 6:30 pm, "Samuel Karp" ***@***.***> wrote:
@alexshuraits <https://github.com/AlexShuraits> The ECS agent will
perform the necessary steps to obtain an authorization token from ECR.
Please ensure that you have the permissions necessary in both the
repository policy of the account that owns the repository and in the IAM
profile on your EC2 instance. Please see the documentation on repository
policies
<http://docs.aws.amazon.com/AmazonECR/latest/userguide/RepositoryPolicyExamples.html#IAM_allow_other_accounts>
and the documentation on permissions necessary for your EC2 IAM profile
<http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_managed_policies.html#AmazonEC2ContainerServiceforEC2Role>.
If you're continuing to experience difficulties, please feel free to open a
new issue.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#308 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AALfjvfHqPgXIsTY57e90L-Zv8dkYAuRks5rTlougaJpZM4HXEOJ>
.
|
@samuelkarp @hamstah I have created new issue #675 |
I'm not sure if this is supposed to work or if I just have something misconfigured. I have set up some cross-account policies and roles which seem to be working based on a few boto and CLI test scripts. But it seems the ECS agent would need to be made aware of the cross account role and use sts assume role to be able to download from another account.
The error I get in ECS and Docker is misleading (404 not 403 or 401). Perhaps that is a sign this is actually supposed to work but Googling I can only find how to set up cross account access in general but nothing about ECS agent support
http://docs.aws.amazon.com/AmazonECR/latest/userguide/RepositoryPolicyExamples.html#IAM_allow_other_accounts
ECS agent log
Docker log
The text was updated successfully, but these errors were encountered: