Saw relevant answer HERE but has both already configured
Getting STOPPED (CannotPullContainerError: Error response from daem)
ECR is in Account A and ECS cluster in on Account B
Have this policy on the ECR repository in Account A (cross-organization sharing)
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer"
],
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": "o-x/*"
}
}
}
]
}
When running manually on the Instance aws ecr login Account-A + docker pull Account-A.xxx it works great.
Any idea why the ECS agent can't do it himself ?
ECS task role & task execution role uses this IAM role :
SecretsManagerReadWrite
AmazonSQSFullAccess
AmazonS3ReadOnlyAccess
AmazonECS_FullAccess
AmazonECSTaskExecutionRolePolicy
AmazonMSKReadOnlyAccess
EC2 Instance role :
AmazonSSMManagedInstanceCore
CloudWatchLogsFullAccess
AmazonEC2ContainerServiceforEC2Role
I think you are going to need to make it explicit in the ECS container instance IAM role that you are giving permission to Account B to get containers from Account A.
In cross account access you have to setup permissions on each side. Account A has to allow access to get the containers (the policy you specified in your question accounts for that). Account B has to give explicit permissions to services through roles and role profiles to access resources in other accounts. I think that is what you are missing.
Another walk through in resolving this is available here, which may help you think through this further.