I'm trying to set up cross-account access to ECR. What I'd like is to allow one AWS account to access the ECR in a different AWS account. The point is that it is needed to set up a policy permission under each repository. I don't like honestly this approach because for each new repository created under the ECR, I need to set up a policy. Do you have a better strategy to allow one account to automatically access all the repos in a ECR in a different AWS account?
Related
I have two AWS accounts A, B.
All my code commit repositories are present in account A.
Now I want to create the AWS code Build job in account B for repositories in account A.
I am trying to figure out to get the list of AWS repositories in account B from account A while selecting the source for creating a code build job.
I am not sure how to get the list of repositories from account A to account B in the source Repository field.
I have followed the below tutorial only till the second topic.
https://docs.aws.amazon.com/codecommit/latest/userguide/cross-account.html
Any help will be appreciated.
You can configure access to CodeCommit repositories for IAM users and groups in another AWS account. This is often referred to as cross-account access.
Mainly you be need to do the following:
Will need to create a policy and role for the repository with the needed permissions.
Create a policy and attach to your CodeBuild Role allowing the access on the Resource for the created Role
eg.
"Resource": "arn:aws:iam::REPO_ACCOUNT:role/MyCrossAccountRepositoryContributorRole"
This will enable the CodeBuild to access the needed CodeCommit repository.
This page explain this very well: Configure cross-account access to an AWS CodeCommit repository using roles.
Also, check this blog post that explain a little more detailed what you want:
AWS CodePipeline with a Cross-Account CodeCommit Repository.
We had 4 individual AWS accounts for Dev,QA, UAT and Prod.
I need to clone a repository from AWS Prod account with branch name Production.
The problem is I am using the command
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/vanguard"
which is working fine, but I am not sure the cloned repository belongs to which AWS account since I am not providing any AWS account details while cloning the repository to my local.
The clone URL
https://git-codecommit.us-east-1.amazonaws.com/v1/repos/vanguard"
is same in all AWS accounts.
How to clone a repository from specific AWS Code commit account only?
You'd have to create an IAM role in that AWS account you want to clone the repository from. The IAM role will delegate access to that repository to IAM user/users in the AWS account.
Then, you would have to configure your AWS CLI to use AWS Security Token Service (STS) and assume the role when running commands.
Also, note that, each CodeCommit repository is associated with an AWS Region.
Here's more on assuming roles with AWS CLI.
EDIT:
Here's what's need to be done to enable Cross-Account Access to a repository in a different account:
Repository Account Actions:
Create a policy for access to the repository.
Attach this policy to a role in the same account, and allow users in the user account to assume this role.
User Account Actions:
Create an IAM user or IAM group. Use these to access the repository from the other account.
Assign a policy to the user or group that allows them to assume the role created in the repository account as part of the previous step.
Finally, assume the cross-account role before you attempt to clone or otherwise access the repository. Also, make the necessary changes to your credentials file ~/.aws/config
For example:
[profile MyCrossAccountProfile]
role_arn = arn:aws:iam::123456789012:role/MyCrossAccountProfile
source_profile = user1
Lastly, you need to modify the AWS CLI credential helper so that you use MyCrossAccountProfile
git config --global credential.helper `!aws codecommit credential-helper --profile MyCrossAccountProfile $#'
I want to create a S3 Bucket via CloudFormation template. I found there is a way to do it for EC2 instance on this link.
Do we have a way to create S3 bucket using existing IAM role via cloudformation?
It looks like what you're looking for is a service role. From AWS:
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses the role's credentials.
For more information, you might want to take a look at this, specifically the permission part to find out how to use an existing IAM role for creating a Cloudformation stack.
By the way: Unfortunately the link that you've provided doesn't seem to be accessible anymore.
When deploying infrastructure using creating Cloudformation template, you can have 2 ways to do it:
Cloudformation can deploy resources using the permissions of the current user who deploys the CF template. This is the default way
Secondly (Optional), you can choose an existing role that can be attached to the CF template. Cloudformation service will use the permissions of that attached role to deploy all the required services. Given that the attached role has permissions to S3, you can create an S3 bucket as can be seen in the attached screenshot
How do ECR policies differ from IAM policies?
The language around the ECR policies seem to indicate it is similar to the S3 bucket policy.
Does it allow you to grant access not using IAM?
If I wanted to grant another account access to registry can I use an ECR policy or do I still need a cross account role?
The language around the ECR policies seem to indicate it is similar to the S3 bucket policy.
Yep, they are. Both ECR repository policies and S3 bucket policies control permissions of specific resources rather than permissions of principals (identities). In the case of ECR, it lets you define permissions for a specific repository.
Does it allow you to grant access not using IAM?
Sort of. You need both an IAM policy and a repository policy to express some kinds of permissions. For example, an IAM policy on a user might have permissions like ecr:* in order to allow the user to make API calls to ECR and then a repository policy might grant control over a particular repository.
If I wanted to grant another account access to registry can I use an ECR policy or do I still need a cross account role?
This is one of the primary use-cases of repository policies. A user in account A might have permission to make ECR API calls with ecr:* in the IAM policy. A repository in account B could then grant cross-account access to account A, at which point the account A user does not need to assume a cross-account role in order to access the repository.
According the documentation, you can allow cross-account access to your ECR with just the repo policy:
For Principal, choose the scope of users to apply the policy statement to.
You can apply the statement to all authenticated AWS users by selecting the Everybody check box.
You can apply the statement to all users under specific AWS accounts by listing those account numbers (for example, 111122223333) in the AWS account number(s) field.
You can apply the statement to roles or users under your AWS account by checking the roles or users under the All IAM entities list and choosing >> Add to move them to the Selected IAM entities list.
So you don't need to setup cross-account role assumption, but I imagine you would have to grant the appropriate permissions to the users/groups/roles in the remote account to allow them to talk out to your ECR.
How to make an ECR repository public for anybody to pull from. I see the policy document in the permission sections is where I should make permission changes. But it's not working, and I still need to get authenticated with the IAM user.
Amazon ECR currently supports private images. See official AWS ECR FAQ:
https://aws.amazon.com/ecr/faqs/
Q: Can Amazon ECR host public container images?
Amazon ECR currently supports private images. However, using IAM resource-based permissions, you can configure policies for each repository to allow access to IAM users, roles, or other AWS accounts.
You can use Docker Hub or other public repositories.
https://hub.docker.com/
Amazon just released support for public ECR repositories!
https://aws.amazon.com/blogs/aws/amazon-ecr-public-a-new-public-container-registry/
check out https://github.com/monken/aws-ecr-public. It's a solution that provisions a serverless API Gateway to make ECR repositories public. It also supports custom domains.