amazon-web-servicesamazon-ecsamazon-vpcamazon-ecrecs-taskdefinition

Task definition in ECS unable to pull docker image from different AWS account


Account A has the ECR repo and ECS cluster is running on Account B, both the accounts are running inside a VPC. Task definition running inside Account B unable to pull the docker image from Account A, but when the task definition set to run on AWS default VPC it is able to pull the container and run the service successfully. Is there a simple work around for Account B running inside VPC to pull the docker image from Account A without adding a NAT Gateway? Did anyone overcome this issue?


Solution

  • inside VPC to pull the docker image from Account A without adding a NAT Gateway

    If you don't want to use NAT to connect to ECR, the only option is to use ECR VPC interface endpoint. Details for cross-account setup involving ECR endpoints are given in AWS blog: