Pulling image from AWS ECR repository without AWS credentials-CodePudding

I need to pull docker images from on premise. However, I don't have access to AWS keys to be able to perform such an action against a private repository. How can I pull ECR images without AWS authentication? I've noticed ECR public repository, however, I still need some level of restriction to protect the repos contents.

CodePudding user response：

Yes, you can authenticate temporarily. As document pointed;

You can use temporary security credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs). The temporary credentials provide the same permissions as long-term security credentials, such as IAM user credentials.

Reference : https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

Also, If there is no way to succeed the authentication this way or any other way, You can use public registries registry policies. You can ALLOW certain IPs/services/users to reach your registry. Example registry policy is below;

{
  "Version": "2012-10-17",
  "Id": "ECRPolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "ecr:*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            1.2.3.4/32,
            2.3.4.5/32
          ]
        },
        "IpAddress": {
          "aws:SourceIp": "0.0.0.0/0"
        }
      }
    }
  ]
}