Amazon-ecs-agent: ECS agent can't pull image from ECR repository on another AWS account
I have 2 AWS accounts, A and B.
Account A has an ECR repository with docker image, that I want ecs-agent on ECS service to pull from account B.
Account A has an administration role with trusted relationships with account B.
My EC2 role is:
{
"Version": "2008-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ecs.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Effect": "Allow"
}
]
}
EC2 role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*",
"ecs:StartTask",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"dynamodb:*"
],
"Resource": "*"
}
]
}
ECS service role policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets"
],
"Resource": "*"
}
]
}
ECR policy on account A
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Prod Account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT B>:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]
}
]
}
Also tried with Principal : "*"
When I start the ECS service I get the following error
CannotPullContainerError: API error (500): denied: User: arn:aws:sts::<ACCOUNT B>:assumed-role/ec2_role/i-0625d2e6eaffccb7f is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-1:<ACCOUNT A>:repository/<my-repository-name>
I have it working with aws cli with "aws ecr get-login --registry-ids" before pulling the image on my local machine.
I am using ECS optimized AMI with Agent 1.13.1, Docker 1.12.6
Any suggestions? What is wrong?
AlexShuraits
All 4 comments
Have you tried with the account id as the principal only (ie not full ARN with root).
Assumed roles won't match the root IAM principal I think.
hamstah
on 19 Jan 2017
@hamstah I didn't found a way to edit it, when I enter the Account number and save it. It appears automatically with :root. But I think it is useless, because it tried to put "*" there, that should allow any account and any role.
AlexShuraits
on 19 Jan 2017
Thanks all for trying to resolve my issue. I have found the wrong repository name in my task definition, I have put the old repository url. I have changed it's name in past, because of this I didn't get the "repository not exists" error. So, my settings are correct, hope it will help someone.
AlexShuraits
on 22 Jan 2017
See: GH-308
kenorb
on 14 Mar 2019
Related issues
hayajo
路
3Comments
soumyasmruti
路
5Comments
devotox
路
3Comments
cjbottaro
路
4Comments
GeyseR
路
3Comments
Most helpful comment
Thanks all for trying to resolve my issue. I have found the wrong repository name in my task definition, I have put the old repository url. I have changed it's name in past, because of this I didn't get the "repository not exists" error. So, my settings are correct, hope it will help someone.