Centralizing artifacts for an AWS Organization

Using a multi-region single AWS Account to supply artifacts for an AWS Organization

Table Of Contents

Today I Explained

Container images aren’t always located within the same AWS Account as the workload, which is why it is possible that you can receive errors when communicating with AWS Elastic Container Registry (ECR) about insufficient permissions to pull from the repository:

Failed to pull image "cross-aws-account-id:.dkr.ecr.REGION.amazonaws.com/repo-name:image-tag":
 rpc error: code = Unknown desc = Error response from daemon: 
  pull access denied for arn:aws:ecr:REGION:cross-aws-account-id:repository/repo-name, 
    repository does not exist or may require 'docker login': denied: 
      User: arn:aws:sts::<aws-account-containing-eks-cluster>:assumed-role/<node-instance-role-for-worker-node is not authorized to perform: 
        ecr:BatchGetImage on resource: arn:aws:ecr:REGION:cross-aws-account-id:repository/repo-name

In these cases the AWS Account, and even the region is different than the AWS Account that the workload is running within. As AWS supports mechanisms to allow artifacts to be accessible ¹ ²³ across AWS Accounts & sometimes regions.

The reason for the artifacts to be placed within a single AWS Account, and made accessible to other accounts within the organization (or multiple organizations) is to facilitate artifact management. These single AWS Accounts are better equiped to manage things such as:

  • Active CVEs within the fleet of services
  • Replication of artifacts across AWS regions for redundancy/geolocation
  • Revoking artifacts that are determined to be compromised or not fit for production
  • Reducing costs through expiration of older or unused artifacts
  • Consistency with respect to orgnaization tags
  • Safekeeping of the production artifacts of the organization

In practice, these AWS Accounts will be isolated into their own organization unit, with additional service control policies (SCPs) to prevent unintended behaviour. The artifact storage mechanisms will make use of resource-based policies that grant access to the other organization units, allowing for referencing the artifacts.

    ┌─────────┬───────OU Root────────┬────────────┐
    │         │          │           │            │
    ▼         ▼          ▼           ▼            ▼
Artifacts   Audit   Workloads   Infrastructure   ...

A tree structure with a top level node named ‘OU Root’ with 4 child nodes named, ‘Artifacts, ‘Audit’, ‘Workloads’ and ‘…’ to mean “and so on”.