A common pattern is deploying the same application on different AWS accounts, for example one for development and one for production. Ideally, you want to avoid having to maintain two separate ECR repositories containing duplicate images, while also keeping your images private.
It's possible to create access keys with the required permissions in the account owning the repository and to use them from the other accounts, but you end up having to juggle multiple sets of AWS credentials for different operations.
A relatively painless way of enabling read-only access to a repository for another account is to add the following policy directly on the repository, where 123456
is the account id from which you want to access the images.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "123456 account pull access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
You can also be more specific with the principal if needed, in case you don't want to give access to the whole AWS account, but only to a subset of users and roles.
As usual, the best way of maintaining that configuration over time is to use your favourite infrastructure as code tool!