Configure AWS Elastic Container Registry

Provide credentials to access private ECR

There are two options to configure access to AWS-ECR private registry: CloudFormation Template and Configure Manually

Manual Configuration

This configuration allows you to enter the accountID, accessToken, secretkey and Region. This would allow Lineaje to get access to your organization’s private ECR registry.

For security reasons, Lineaje recommends creating new user with cross account role. Follow the below steps to create a new user:

  • Go to the AWS console and login using your organization credentials

  • Navigate to Identity and Access Management (IAM) and click Users

  • Add users, then enter the user name

  • For the AWS credential type, press Access key - Programmatic access then set permissions. There are two required permissions you will need to set:

    • AmazonEC2ContainerRegistryFullAccess

    • AmazonElasticContainerRegistryPublicFullAccess

  • Skip Tags Tab

  • Review Tab

  • Final tab will provide you the access key id and secret access key

IAM CloudFormation Template​

The CloudFormation Template (CFT) option needs a CFT file to be uploaded.

  • Download the sample CFT file

  • Go to the AWS console and login using your organization credentials

    • Go to the AWS sign-in page https://console.aws.amazon.com/cloudformation

    • Click the buttons Create Stack -> With New Resources

    • Leave the Prepare Template setting as-is

      • For Template source select Upload a template file

      • Click Choose file and select the CloudFormation template you downloaded and click Next

    • For Stack name use SBOM360-ECR-Permissions-Stack and click Next

    • For Configure Stack Options, it is recommended to use configuring tags, which are key-value pairs that can help you identify your stacks and the resources they create. You will not have to use additional permissions or advanced options so click Next.

    • For Review

      • Scroll down to the bottom of the page and select "I acknowledge that AWS CloudFormation might create IAM resources with custom names."

      • Click Create Stack

      • You will be taken to the CloudFormation stack status page, showing the stack creation in progress

        • Click on the Events tab and watch the CloudFormation events as they form the IAM Role

      • Click on the Outputs tab and copy the value of the EcrIntegrationRoleARN key

      • It should look similar to the following key - arn:aws:iam:/sbom360/SBOM360_ECR_Role

  • Upload the updated CFT in the configure step

  • By clicking on Test Connection, the connection will be tested against the credentials

Last updated