Home > Enterprise >  AWS Allow Cross-account EKS Cluster to Pull Images from ECR
AWS Allow Cross-account EKS Cluster to Pull Images from ECR

Time:11-12

Summary:

I'm looking to enable EKS nodes to pull images from an ECR registry from a different AWS project. I created an "AllowPull" policy in the desired ECR repository and set the principal of the policy to the ARN of the EKS cluster role, but node is unable to pull the image.

How should the policy be formulated in order to allow all nodes in an EKS cluster to pull from a cross-account ECR repository?

Attempt Details:

  • The ECR registry recourse name is:

    arn:aws:ecr:us-east-2:226427918358:repository/external-pull-test
    
  • The EKS cluster that needs to pull the images has the following role attached:

    arn:aws:iam::02182452XXXX:role/aws-dev-eks-cluster-crpiXXXX091410594876160000000c
    
  • The external ECR registry has the following policy JSON:

    {
        "Version": "2008-10-17",
        "Statement": [
            {
                "Sid": "AllowPull",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::02182452XXXX:role/aws-dev-eks-cluster-crpiXXXX091410594876160000000c"
                },
                "Action": [
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:BatchGetImage",
                    "ecr:DescribeImages",
                    "ecr:DescribeRepositories",
                    "ecr:GetDownloadUrlForLayer"
                ]
            }
        ]
    }
    
  • The pod ImagePullBackOff error specifies that the user attempting to authenticate with the registry is this assumed role:

    arn:aws:sts::02182452XXXX:assumed-role/aws-dev-eks-cluster-crpiXXXX091410594876160000000c/i-0ea4f53b6dfdcxxxx
    

Environment:

  • Kubernetes: v1.16.15-eks-e1a842

Additional Details:

Using the ARN of my user principal (cross-account) in the policy did allow me to pull images using docker locally. Using the ARN of the assumed role did enable the node to pull the image, but my understanding is that configuring the policy with a particular assumed role won't guarentee that the cluster nodes can consistently pull from the registry.

CodePudding user response:

Another method is click on the "external-pull-test" repo on the ECR console, on the left panel under "Repositories" click on "Permissions", then click on "Edit" on the top right. You can add the account ID that needs to pull from this repo at "AWS account IDs". Check the permitted actions at the bottom "Actions" drop down box. "Save" and you should be able to pull.

  • Related