Cross-Account ECR Access for ECS

A Step-by-Step Guide for DevOps and Cloud Engineers

As a #DevOps or #Cloud Engineer, it’s a best practice to store your container images in a secure, private repository like Amazon ECR (Elastic Container Registry). While having your images stored in a private ECR repository is ideal for security, there may come a time when you’ll need to access these images from a different AWS account—for example, if you’re deploying on Amazon ECS (Elastic Container Service) in a secondary account. This guide will walk you through setting up cross-account access, allowing a secondary account to push or pull images from your primary Amazon ECR repository.

AWS Services Involved:

Amazon ECR
Amazon ECS
AWS IAM

Assumptions:

You already have ECS running in your primary account.
You have an ECR repository in your primary account.

Step 1: Create an IAM Role in the Secondary Account

In the secondary account, create an IAM role that will be attached to the ECS Task Definition. This role requires the **AmazonEC2ContainerRegistryPowerUser** managed policy, allowing it to pull or push images from the primary account’s ECR repository.

Go to the IAM console in the secondary account.
Create a new role for the service Elastic Container Service.
Select the use case: Elastic Container Service Task and proceed.

Attach the policy: AmazonEC2ContainerRegistryPowerUser.

Create the role and note the role name and ARN, as they will be used to reference this role in the primary account's ECR permissions.

Step 2: Configure ECR Permissions in the Primary Account

On the primary account, update the repository permissions to allow access from the secondary account’s role.

Open the Amazon ECR console in the primary account.
In the navigation pane, go to Repositories under Private registry.
Select the repository you wish to grant access to.
In the navigation pane, choose Permissions.

Choose Edit policy JSON to modify the repository policy.

Example Policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "AllowPushPull",
         "Effect": "Allow",
         "Principal": {
           "AWS": [
             "arn:aws:iam::<secondary-account-id>:root",
             "arn:aws:iam::<secondary-account-id>:role/<role-name>" 
           ]
         },
         "Action": [
           "ecr:BatchCheckLayerAvailability",
           "ecr:BatchGetImage",
           "ecr:CompleteLayerUpload",
           "ecr:GetDownloadUrlForLayer",
           "ecr:InitiateLayerUpload",
           "ecr:PutImage",
           "ecr:UploadLayerPart"
         ]
       }
     ]
   }

Replace <secondary-account-id> with the actual account ID of the secondary account, and <role-name> with the name of the role created in Step 1.

Save the policy. Ensure the role exists in the secondary account before saving, as missing roles will cause an error.

Step 3: Reference the Image in Your ECS Task Definition

When defining your ECS task in the secondary account, specify the image URI for the ECR repository in the primary account. This will allow the ECS service in the secondary account to pull the image using the cross-account permissions you’ve configured.

By following these steps, you’ll set up seamless cross-account access, making it easy to securely pull and deploy container images across AWS accounts.