AWS cross-account access for ECR?

[pbrousseau-sdx]

We have an architecture where we push all of our built OCI images into one centralized account, which has no EKS clusters. Our argo-cd instances are run in 4 separate accounts (sandbox / dev / stage / production), and use ECR pull-through caching when we actually update one of our microservices.

I am doing a POC of kargo in the sandbox account. I have set up a warehouse to point to the ECR in the local account, and this works for a known tag for the microservice image. However, I want the warehouse to be able to discover images in the centralized ECR.

In order to do this, the kargo-controller service account's IRSA role would need to assume a cross-account role, as I understand it. Looking briefly through the docs, I see:

At this point, an IAM role will be associated with the Kargo controller, however, that controller acts on behalf of multiple Kargo projects, each of which may require access to different ECR repositories. To account for this, when Kargo attempts to access an ECR repository on behalf of a specific project, it will first attempt to [assume an IAM role](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) specific to that project. The name of the role it attempts to assume will always be of the form kargo-project-<project name>. It is this role that should be granted read-only access to applicable ECR repositories.

However, when I look for the code that assumes that kargo-project-FOO, I see that the role name is:

const roleARNFormat = "arn:aws:iam::%s:role/kargo-project-%s"

And (again, as far as I can tell), the AWS account is the account that the pod is running in.

Am I reading this correctly, or is there another way to set up cross-account ECR read access?

In the long run, it may be feasible to run kargo in this centralized account, but this is a POC and I want to just see what I can make work, as close to our actual workflow.

Thanks for any advice!

[krancour]

And (again, as far as I can tell), the AWS account is the account that the pod is running in.

That's correct.

To the best of my knowledge, everything you need to do to enable this is on the AWS end. Taking Kargo out of the equation entirely and speaking generally about a role in account A requiring access ECR repos in account B, then the registry's policies simply need to grant permissions to a role in account A, identified by its ARN.

[pbrousseau-sdx]

OK, I think that there's some details that I missed in the ECR setup. I'm going to dig into that -- thanks for the help!

(Your advice was spot on; I was able to do what I want well within the scope of what Kargo does. I will comment again later w/ some more information when I have some time, in case anyone else has similar questions.)