[AWS CLI] Switch roles to get a Docker image in another account
background
I wanted to use AWS to get a Docker image in the ECR of another account We have summarized the results of various investigations on role switching using the AWS CLI.
Prerequisites
1. Account A has the Docker image you want
2. PULL the Docker image of account A to EC2 that exists in account B
Workflow
1. Create a role that can be used in account B from IAM of account A
1-1. Selection of trusted entities
- For the account ID, enter __Account B ID 12 digits __
1-2. Attach Access Control Policy
Grant the following ・ AmazonEC2ContainerRegistryFullAccess ・ AmazonEC2FullAccess -Amazon EC2Role for SSM (used to connect to EC2 with Session Manager)
1-3. Creating a roll
・ You do not have to enter the tag name
-Is the role name good to be easy to understand, such as switch-role?
-After creation, copy the ARN of the created role
2. Prepare to actually switch roles in account B
2-1. Log in with account B and set the EC2 IAM role
Open the IAM role attached to EC2 and press the trust relationship edit button from the trust relationship tab
Paste the ARN of the created roll in the blue frame
2-2. Log in to EC2 and set up awscli
Log in to EC2 (use session manager this time) After logging in, switch to administrator privileges (su)
2-2-1. Register the profile after switching
[root@ip-10-10-10-131 ~]# aws configure --profile dev
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: ap-northeast-1
Default output format [None]: json
Here, the name after switching is defined as dev After setting, open the configure file directly
[root@ip-10-10-10-131 ~]# vi .aws/config
Add "role_arn" and "source_profile"
2-2-2. Register the authentication information
[root@ip-10-10-10-131 ~]# vi .aws/credentials
Create a new credentials file
[default]
aws_access_key_id = xxxxxxxx
aws_secret_access_key = xxxxxx
Register the access key and secret access key of the user who can use it in account B
3. Try it out
3-1. When not switching roles
Log in to ECR (Amazon Elastic Container Registry)
[root@ip-10-10-10-185 ~]aws ecr get-login --region ap-northeast-1 --no-include-email > dlogin.sh
[root@ip-10-10-10-185 ~]chmod +x dlogin.sh
[root@ip-10-10-10-185 ~]./dlogin.sh
Get repository
[root@ip-10-10-10-185 ~]docker pull 'Repository URI'
Error response from daemon: Get 'Repository URI' no basic auth credentials
It becomes an error related to authentication like
3-2. When the role is switched
Log in to ECR (Amazon Elastic Container Registry)
[root@ip-10-10-10-185 ~]aws ecr get-login --region ap-northeast-1 --no-include-email --profile dev > dlogin_dev.sh
[root@ip-10-10-10-185 ~]chmod +x dlogin_dev.sh
[root@ip-10-10-10-185 ~]./dlogin_dev.sh
Get repository
[root@ip-10-10-10-185 ~]docker pull 'Repository URI'
Downloading..
・
・
・
・
Digest: sha256:0xx
Status: Downloaded newer image for 'Repository URI'
Confirmation of acquired image
[root@ip-10-10-10-185 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
Repository name latest xxxxxxxxxxxx 13 months ago 5.37GB
Finally
This time I specialized in getting Docker image, but since role switching can also be used for getting documents from CodeCommit etc. As a memorandum, I summarized the procedure for switching aws cli.
reference
Easy switching AWS CLI profile
Work by switching roles in the AWS CLI (https://nasrinjp1.hatenablog.com/entry/2018/04/06/215737)
Recommended Posts