Sharing ECR Repos

You can grant another AWS account access to the images stored in your Amazon Elastic Container Registry (ECR) by configuring a repository policy. This allows external AWS accounts to pull (download) or push (upload) container images to your repository. Granting such access is useful when you need to share container images with other teams, partners, or automated systems that require access to your ECR repository.

There are different requirements for EKS/ECS and Lambda.

Granting EKS and ECS Access to Your ECR Repository

To grant access to your ECR repository, create a repository policy using one of the policies below. Replace ACCOUNT_ID with the ID of the AWS account that needs access to the repository (not the account that contains the repo you are sharing).

Allowing Pull (Read) Access

This policy allows the other AWS account to pull (download) images from your ECS repository.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    }
  ]
}

Allowing Pull and Push (Read and Write) Access

This policy allows the other AWS account to pull (download) and push (upload) images from your ECS repository.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPullAndPush",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload"
      ]
    }
  ]
}

Granting Lambda Access

To use the repository for Lambda function images, you also need to grant permissions directly to the Lambda service. For example, here is the "read" policy from above with an AllowLambdaPull statement added that grants them. Replace ACCOUNT_ID and REGION_NAME with the ID and region of the AWS account that needs access to the repository (not the account that contains the repo you are sharing).

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    },
    {
      "Sid": "AllowLambdaPull",
      "Effect": "Allow",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Condition": {
        "StringLike": {
          "aws:sourceARN": "arn:aws:lambda:REGION_NAME:ACCOUNT_ID:function:*"
        }
      }
    }
  ]
}

Last updated

Was this helpful?