Knowledge Base

Grant cross-account access to ECS cluster EC2 instance role

View full discussion in GitHub

Answer

A customer asked: > I'm running a Nomad cluster in `dev` and want to pull some ECR images from `shared-services` which use a shared KMS key (`container-images`). I've set up the Nomad clients with the `ecr-login` docker config. How do I grant cross-account access to the assumed instance role for the client instances?

So long as your ECR repo policy grants permission to the dev account, you can add the necessary ecr API permissions as a role policy on the nomad nodes. [Here is how we do it for ECS](https://github.com/gruntwork-io/terraform-aws-ecs/blob/7b97af9029e8ce139984b76d4a2b9b7ac27dd4e6/modules/ecs-cluster/main.tf#L314).