amazon-web-servicesamazon-eksaws-ecr

Use ECR images in EKS from another account


I've two accounts: Account A and Account B. I would like to run an image from ECR at Account A on EKS on Account B.

I'm a bit confused on how to give the EKS the permissions. At first I thought of creating a docker-registry in the EKS with User role. But, as I read more I understood that it's not the way.

Have anyone tried it before?


Solution

  • First, your EKS needs to have IAM permissions to do these operations as if they were performed agains ECR in the same account.

    Second, you need to allow the other account to access the ECR repository. You can do this by logging into management console of the account that hosts the ECR. Go to ECR -> click on the repository that you want to make accessible by the other account -> on the left panel, click on permissions -> click edit -> click add statement -> fill in AWS account IDs - optional field with the account number of your second account, leave the rest untouched -> click save