Cross account pull for ECR image not working

[richardg0510]

I have a registry-image resource configured with an ECR image. The image in ECR has permissions allowing cross account access. The image is pulled successfully when using AWS key / secret from an IAM user from the owning account, but does not pull any image when used with an AWS key / secret form an IAM user from a different account, even though that account has been given cross account access.

I have tried configuring using the full repository url, as well as just the repository name, and get the same results. In fact, when using the full repository url, it doesn't work even when using AWS key / secret from an IAM user from the owning account...

Here is the resource configuration

- name: k8s-test
  type: registry-image
  source:
    repository: ((ecr-registry))
    tag: ((registry-tag))
    aws_access_key_id: ((aws_access_key_id))
    aws_secret_access_key: ((aws_secret_access_key))
    aws_region: ((k8s_test_ecr_region))

I have verified my IAM permissions are correct, and I can pull the image locally using keys from either account.

What am I missing here?

[Maghil]

just fyi: when using ECR don't use full repository url, just the name is enough. not sure why cross pull is not working

[richardg0510]

Yeah, I have it currently configured using just the name, but it doesn't work when using cross account permissions. I am transitioning from the docker-image resource, and that one works fine...