EKS deploy from ECR
Amazon Elastic Container Registry (ECR) is a fully managed container registry that makes it easy to store, manage, share, and deploy your container images and artifacts anywhere. Configuring EKS to access to ECR in local account is usually via IAM role attached to instance profile. However in scenarios when EKS and ECR are configured in different account, some additional configuration is required.
In this example, we will create an ECR repo on account A and will configure access from Account B.
Configuration.
Create new ECR registry in Account A, and then edit permissions.
Add following Json policy, updating Aws Account ID
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<accountB_id>:root",
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
This will allow EKS on AWS account A to pull image from ECR registry in account B. Policy must be applied to each repository you create.
Pushing image to ECR
Log on to ECR repository via Podman/Docker. Once logged in you can push the image