8

I'm attempting to allow one AWS account (called "second" below) to pull an image in an ECR repository of another AWS account (called "first" below).

I'm following these documents:

I have added the following permissions to the ECR repository:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<second>:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Then I run this command: eval "$(aws ecr get-login --no-include-email --region us-east-1 --profile second --registry-ids <second> <first>)"

And I get this result:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

I changed the store to config.json temporarily just to make sure I could see that authentication was being added to the file as I expected, and it is:

{
        "auths": {
                "<second>.dkr.ecr.us-east-1.amazonaws.com": {
                        "auth": "<super long token>"
                },
                "<first>.dkr.ecr.us-east-1.amazonaws.com": {
                        "auth": "<super long token>"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.09.0 (darwin)"
        },
        "stackOrchestrator": "swarm"
}

Finally I run: docker pull <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>:<tag> and get this result:

Error response from daemon: pull access denied for <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>, repository does not exist or may require 'docker login'

I've triple checked all the account numbers are correct, the repo is definitely there. I'm able to pull it if I login in with the same get-login command but --profile first.

I'm not sure what else to try so that I can pull this image!

Changing the Principal in the ECR permissions to "AWS": "arn:aws:iam::<second>:user/<user>" doesn't make any difference.

Libby
  • 1,357
  • 12
  • 17

2 Answers2

8

I figured it out -- the IAM user in the "second" account had a policy attached that limited its ECR access. The policy was: 

    {
        "Sid": "ECRAccess",
        "Effect": "Allow",
        "Action": "ecr:*",
        "Resource": "arn:aws:ecr:us-east-1:<second>:repository/<unrelated-repo>"
    }

So even though the ECR repository in the "first" account had permissions allowing the user access, the user's own account restricted its access to a single unrelated repository.

When I added another section with the first account's repository ARN:

    {
        "Sid": "FirstAccountECRAccess",
        "Effect": "Allow",
        "Action": "ecr:*",
        "Resource": "arn:aws:ecr:us-east-1:<first>:repository/<repo>"
    }

Then docker pull worked!

Libby
  • 1,357
  • 12
  • 17
  • Thanks! I was first sceptical, but facepalmed when I saw the policy restricting access to AWS::AccountId – alwe Apr 10 '19 at 22:34
0

Is your second account using an IAM user on your machine? Cuz in your policy you gave the root user on the second account access:

"Principal": { "AWS": "arn:aws:iam::<second>:root" },

consider changing this to in your policy:

"Principal": { "AWS": "arn:aws:iam::<second>:user/[nameofuser]" },

Nicki Klein
  • 69
  • 9