Cloudera Docs

Accessing ECR repository from different AWS environments

Use Case:

There are separate AWS environments for different business units and there is an Amazon Elastic Container Registry (ECR) repository which contains the common Docker images that needs to be accessed from these environments (having different AWS accounts).

By default, the ECR is accessible to the AWS services running in the same AWS environment. The same ECR can be accessed from different AWS environments by updating the ECR repository permissions.

For Example:

  • ECR repository is in env1 (AWS-ACCOUNT-1)
  • Sales Team services are running in env2 (AWS-ACCOUNT-2)
  • Finance Team services are running in env3 (AWS-ACCOUNT-3)

Follow these steps to update the ECR permissions to allow the access for both Sales and Finance teams’ services.

  1. Login in to the AWS console and open the desired ECR repository.
  2. Click on the Permissions tab.
  3. Click on Edit policy JSON. This shows you the current JSON policy document for the repository.
  4. Modify the current JSON policy document by adding a new statement. If the repository has no permissions set yet, then you can copy and paste the JSON policy document below. Make sure to update the required AWS account IDs in this JSON document before saving it. 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "crossAccountAllowRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS-ACCOUNT-2>:root",
          "arn:aws:iam::<AWS-ACCOUNT-3>:root"
        ]
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeImages",
        "ecr:GetDownloadUrlForLayer",
        "ecr:ListImages"
      ]
    }
  ]
}
  5. Click Save.
  6. Verify if the policy has been set successfully by clicking on the Permissions tab again. The new permissions and the AWS accounts IDs should be there.

Once the permissions are set successfully on ECR for different AWS accounts, then the services running in these AWS environments can access the ECR without any changes in the services or environment. There is no need to provide any credentials to access the ECR from these AWS accounts.