Can AWS Fargate task pull the image from ECR on another account without creating a repository policy?

145 views Asked by At

We have one AWS account with ECR repository (account A) and multiple accounts with Fargate Tasks (accounts B) that need to use that repository. Since it would not be convenient for us to change repository policy on account A every time a new account B (with another Fargate task) joins, is there a way to avoid this? Acceptable solution for us would be to create a role on account A for each account B, that can be assumed by some role from account B, but, as I understand, we can't make task execution role assume another role? Another acceptable solution would be to make a generic repository policy (we tried IAM policy variables, but couldn't figure out a good solution).

0

There are 0 answers