Push image to root account and pull it in org account

[srinivasaleti]

Root Account

• Create a github_oidc role in root account
• Create a policy named ecr_authorization_policy with below

  {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": "ecr:GetAuthorizationToken",
          "Resource": "*"
      }
  ]
  }

• Create another policy named ecr_push_image_policy with below permissions

  {
  "Version": "2012-10-17",
  "Statement": [
  {
    "Sid": "AllowPushPull",
    "Effect": "Allow",
    "Action": [
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart"
    ],
    "Resource": "arn:aws:ecr:ap-south-1:157078391004:repository/myapp-repository"
  }
  ]
  }

• Attach these two policies to github_oidc role

[srinivasaleti]

Create a policy that allows the secondary account to perform API calls against the image repository https://repost.aws/knowledge-center/secondary-account-access-ecr