Ryfujk

Have researches managed to "reverse time" and if so, what does that mean for physics?

What exactly is the purpose of connection links straped between the rocket and the launch pad

What is the dot in “1.2.4."

Unreachable code, but reachable with exception

Deleting missing values from a dataset

How is the Swiss post e-voting system supposed to work, and how was it wrong?

Why does Deadpool say "You're welcome, Canada," after shooting Ryan Reynolds in the end credits?

What to do when during a meeting client people start to fight (even physically) with each others?

Can you reject a postdoc offer after the PI has paid a large sum for flights/accommodation for your visit?

Best approach to update all entries in a list that is paginated?

Excess Zinc in garden soil

If Invisibility ends because the original caster casts a non-concentration spell, does Invisibility also end on other targets of the original casting?

Confusion with the nameplate of an induction motor

Playing ONE triplet (not three)

Is it true that real estate prices mainly go up?

Straight line with arrows and dots

Can "semicircle" be used to refer to a part-circle that is not a exact half-circle?

Should QA ask requirements to developers?

What is the difference between "shut" and "close"?

Single word request: Harming the benefactor

Can someone explain this Mudra being done by Ramakrishna Paramhansa in Samadhi?

Why doesn't the EU now just force the UK to choose between referendum and no-deal?

Are there situations where a child is permitted to refer to their parent by their first name?

This equation is outside the page, how to modify it

ECR cross-account pull permissions

Cloudformation Resource for a Cross Region S3 bucket policyAmazon AWS SES SNS integration for different aws accountsCreate AWS S3 bucket upload policyAccess s3 bucket from Ec2 serviceFailed creation of IAM Autoscale role when adding autoscale to a ECS taskHow to add amazon-ecr-credential-helper to pathhow to hook up multiple images in aws ecrAWS Permissions for Cross-Account DNS AssociationGive one user read-only access to ECR repoAWS IAM - AssumeRole within same account?

1

We have two AWS accounts. Account A has ECR repositories and Account B is meant to be able to pull from them.

I have tried setting the repository permission statements in Account A to allow pulling from Account B but AWS claims my policy is not valid.

I have tried:

• Setting the principal to be the account number of Account B. This results in the error Your permission statements have one or more invalid parameters. Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
  


• Setting the principal to the ARN of the root user in Account B (arn:aws:iam::1234567891011:root). This results in the error The service name arn:aws:iam::1234567891011:root is invalid. A valid service name format is [service].amazonaws.com.
  


• Setting the principal to the ARN of an IAM user in Account B. Same error as above.

The above have been done through the AWS console which does not allow editing the JSON directly for ECR permissions. I have tried the CLI command aws ecr set-repository-policy with the above changes but the same errors were returned in the terminal.

Adding permissions for IAM users within the same account works just fine.

The actions I have tried to add under the policy are:

        "Action": [

            "ecr:BatchGetImage",

            "ecr:GetDownloadUrlForLayer",

            "ecr:GetRepositoryPolicy",

            "ecr:ListImages",

            "ecr:DescribeRepositories"

        ]

Any ideas what I might be doing wrong?

amazon-web-services amazon-ecs

share|improve this question

edited Feb 15 '18 at 14:10

Amandil

asked Feb 15 '18 at 14:04

AmandilAmandil

1866

add a comment | 

1

We have two AWS accounts. Account A has ECR repositories and Account B is meant to be able to pull from them.

I have tried setting the repository permission statements in Account A to allow pulling from Account B but AWS claims my policy is not valid.

I have tried:

• Setting the principal to be the account number of Account B. This results in the error Your permission statements have one or more invalid parameters. Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
  


• Setting the principal to the ARN of the root user in Account B (arn:aws:iam::1234567891011:root). This results in the error The service name arn:aws:iam::1234567891011:root is invalid. A valid service name format is [service].amazonaws.com.
  


• Setting the principal to the ARN of an IAM user in Account B. Same error as above.

The above have been done through the AWS console which does not allow editing the JSON directly for ECR permissions. I have tried the CLI command aws ecr set-repository-policy with the above changes but the same errors were returned in the terminal.

Adding permissions for IAM users within the same account works just fine.

The actions I have tried to add under the policy are:

        "Action": [

            "ecr:BatchGetImage",

            "ecr:GetDownloadUrlForLayer",

            "ecr:GetRepositoryPolicy",

            "ecr:ListImages",

            "ecr:DescribeRepositories"

        ]

Any ideas what I might be doing wrong?

amazon-web-services amazon-ecs

share|improve this question

edited Feb 15 '18 at 14:10

Amandil

asked Feb 15 '18 at 14:04

AmandilAmandil

1866

add a comment | 

We have two AWS accounts. Account A has ECR repositories and Account B is meant to be able to pull from them.

I have tried setting the repository permission statements in Account A to allow pulling from Account B but AWS claims my policy is not valid.

I have tried:

• Setting the principal to be the account number of Account B. This results in the error Your permission statements have one or more invalid parameters. Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
  


• Setting the principal to the ARN of the root user in Account B (arn:aws:iam::1234567891011:root). This results in the error The service name arn:aws:iam::1234567891011:root is invalid. A valid service name format is [service].amazonaws.com.
  


• Setting the principal to the ARN of an IAM user in Account B. Same error as above.

The above have been done through the AWS console which does not allow editing the JSON directly for ECR permissions. I have tried the CLI command aws ecr set-repository-policy with the above changes but the same errors were returned in the terminal.

Adding permissions for IAM users within the same account works just fine.

The actions I have tried to add under the policy are:

        "Action": [

            "ecr:BatchGetImage",

            "ecr:GetDownloadUrlForLayer",

            "ecr:GetRepositoryPolicy",

            "ecr:ListImages",

            "ecr:DescribeRepositories"

        ]

Any ideas what I might be doing wrong?

amazon-web-services amazon-ecs

share|improve this question

edited Feb 15 '18 at 14:10

Amandil

asked Feb 15 '18 at 14:04

AmandilAmandil

1866

        "Action": [

            "ecr:BatchGetImage",

            "ecr:GetDownloadUrlForLayer",

            "ecr:GetRepositoryPolicy",

            "ecr:ListImages",

            "ecr:DescribeRepositories"

        ]

share|improve this question

edited Feb 15 '18 at 14:10

Amandil

asked Feb 15 '18 at 14:04

AmandilAmandil

1866

share|improve this question

edited Feb 15 '18 at 14:10

Amandil

asked Feb 15 '18 at 14:04

AmandilAmandil

1866

asked Feb 15 '18 at 14:04

AmandilAmandil

1866

asked Feb 15 '18 at 14:04

AmandilAmandil

1866

2 Answers
2

active

oldest

votes

0

You need to setup a cross account role for Account b to assume.

Create the cross account role in the account that has the Registry, A, give access to the registry in the role. And give the Account B the permissions to assume that role.

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

share|improve this answer

answered Feb 16 '18 at 14:45

strongjzstrongjz

56926

add a comment | 

0

You also need to configure permissions in the ECR for cross account access. To give pull access to the ECR of Account A to Account B, put the following JSON policy in the ECR Permissions tab.

{

    "Version": "2008-10-17",

    "Statement": [

      {

        "Sid": "AllowCrossAccountPull",

        "Effect": "Allow",

        "Principal": {

          "AWS": "arn:aws:iam::aws_account_b_number:root"

        },

        "Action": [

          "ecr:GetDownloadUrlForLayer",

          "ecr:BatchCheckLayerAvailability",

          "ecr:BatchGetImage"

        ]

      }

    ]

  }

share

answered 6 mins ago

Razan PaulRazan Paul

1114

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f897392%2fecr-cross-account-pull-permissions%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

You need to setup a cross account role for Account b to assume.

Create the cross account role in the account that has the Registry, A, give access to the registry in the role. And give the Account B the permissions to assume that role.

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

share|improve this answer

answered Feb 16 '18 at 14:45

strongjzstrongjz

56926

add a comment | 

0

You need to setup a cross account role for Account b to assume.

Create the cross account role in the account that has the Registry, A, give access to the registry in the role. And give the Account B the permissions to assume that role.

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

share|improve this answer

answered Feb 16 '18 at 14:45

strongjzstrongjz

56926

add a comment | 

You need to setup a cross account role for Account b to assume.

Create the cross account role in the account that has the Registry, A, give access to the registry in the role. And give the Account B the permissions to assume that role.

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

share|improve this answer

answered Feb 16 '18 at 14:45

strongjzstrongjz

56926

share|improve this answer

answered Feb 16 '18 at 14:45

strongjzstrongjz

56926

answered Feb 16 '18 at 14:45

strongjzstrongjz

56926

answered Feb 16 '18 at 14:45

strongjzstrongjz

56926

0

You also need to configure permissions in the ECR for cross account access. To give pull access to the ECR of Account A to Account B, put the following JSON policy in the ECR Permissions tab.

{

    "Version": "2008-10-17",

    "Statement": [

      {

        "Sid": "AllowCrossAccountPull",

        "Effect": "Allow",

        "Principal": {

          "AWS": "arn:aws:iam::aws_account_b_number:root"

        },

        "Action": [

          "ecr:GetDownloadUrlForLayer",

          "ecr:BatchCheckLayerAvailability",

          "ecr:BatchGetImage"

        ]

      }

    ]

  }

share

answered 6 mins ago

Razan PaulRazan Paul

1114

add a comment | 

0

You also need to configure permissions in the ECR for cross account access. To give pull access to the ECR of Account A to Account B, put the following JSON policy in the ECR Permissions tab.

{

    "Version": "2008-10-17",

    "Statement": [

      {

        "Sid": "AllowCrossAccountPull",

        "Effect": "Allow",

        "Principal": {

          "AWS": "arn:aws:iam::aws_account_b_number:root"

        },

        "Action": [

          "ecr:GetDownloadUrlForLayer",

          "ecr:BatchCheckLayerAvailability",

          "ecr:BatchGetImage"

        ]

      }

    ]

  }

share

answered 6 mins ago

Razan PaulRazan Paul

1114

add a comment | 

You also need to configure permissions in the ECR for cross account access. To give pull access to the ECR of Account A to Account B, put the following JSON policy in the ECR Permissions tab.

{

    "Version": "2008-10-17",

    "Statement": [

      {

        "Sid": "AllowCrossAccountPull",

        "Effect": "Allow",

        "Principal": {

          "AWS": "arn:aws:iam::aws_account_b_number:root"

        },

        "Action": [

          "ecr:GetDownloadUrlForLayer",

          "ecr:BatchCheckLayerAvailability",

          "ecr:BatchGetImage"

        ]

      }

    ]

  }

share

answered 6 mins ago

Razan PaulRazan Paul

1114

{

    "Version": "2008-10-17",

    "Statement": [

      {

        "Sid": "AllowCrossAccountPull",

        "Effect": "Allow",

        "Principal": {

          "AWS": "arn:aws:iam::aws_account_b_number:root"

        },

        "Action": [

          "ecr:GetDownloadUrlForLayer",

          "ecr:BatchCheckLayerAvailability",

          "ecr:BatchGetImage"

        ]

      }

    ]

  }

share

answered 6 mins ago

Razan PaulRazan Paul

1114

answered 6 mins ago

Razan PaulRazan Paul

1114

answered 6 mins ago

Razan PaulRazan Paul

1114