This tool allows to clone ECR repositories between independent AWS accounts, when direct mirroring is not allowed by access policies, or when smart cloning rules should be applied.

It uses a host in the middle, that has access to both AWS accounts, and runs docker to pull-push images.

The following packages should be installed on the machine and be accessible with PATH variable:

• Python 3.5+ with basic set of modules.
• aws CLI 2.0+ binary.
• docker binary, all recent versions should work.

The tool was tested with Python 3.9.7, aws-cli 2.7.1 and docker 20.10.16.

You need to have access to both 'source' and 'destination' AWS accounts. IAM policies should allow at least read access to the 'source' ECR and write access to the 'destination' ECR.

Particularly, in the 'source' repository, at least the following actions should be allowed by IAM policies for the actual IAM user or role:

• ecr:DescribeImages
• ecr:DescribeRepositories
• ecr:ListImages
• ecr:GetRegistryScanningConfiguration

Correspondingly, in the 'destination' repository, at least the following actions should be allowed by IAM policies for the actual IAM user or role:

• ecr:DescribeImages
• ecr:DescribeRepositories
• ecr:ListImages
• ecr:PutImage
• ecr:InitiateLayerUpload
• ecr:UploadLayerPart
• ecr:CompleteLayerUpload
• ecr:BatchCheckLayerAvailability

Additionally, identity-based IAM policy for the actual IAM user or role should allow the following actions for "*" resource:

In 'source' AWS account:

• ecr:GetAuthorizationToken (necessary to run docker login)
• ecr:DescribeImageScanFindings (necessary to retrieve scan results)
• ecr:GetBatchImage

In 'destination' AWS account:

• ecr:GetAuthorizationToken (necessary to run docker login)

Your ~/.aws/credentials file should define separate profiles for both 'source' and 'destination' AWS accounts. Example of setup:

~/.aws/credentials:

[src]
aws_access_key_id = <key_id_src>
aws_secret_access_key = <key_scr>
region = us-east-1
[dst]
aws_access_key_id = <key_id_dst>
aws_secret_access_key = <key_dst>
region = us-west-2

where the values in angle brackets are your actual access credentials for corresponding AWS accounts.

Usage:

aws-ecr-cross-account-clone.py [-h] src_profile src_region dst_profile dst_region [--days DAYS] [--include-repos WHITELIST | --exclude-repos BLACKLIST] [--require-scan] [--verbose | --verbose-auth]

Positional arguments:

src_profile           Source AWS profile, as defined in ~/.aws/config
src_region            Source AWS region
dst_profile           Destination AWS profile, as defined in ~/.aws/config
dst_region            Destination AWS region

Optional arguments:

-h, --help                 Show the help message and exit
--days DAYS, -d DAYS       How recent images to synchronize, in calendar days (default 30)
--include-repos WHITELIST  Comma-separated white list of repositories to synchronize
--exclude-repos BLACKLIST  Comma-separated black list of repositories to exclude from synchronization
--require-scan, -s         Clone only scanned images (default False)
--verbose, -v              More verbosity, except sensitive authentication data (default False)
--verbose-auth, -vv        More verbosity, including sensitive authentication data (default False)

Example:

aws-ecr-cross-account-clone.py src us-east-1 dst us-east-2 --days 14 --require-scan

Notes about whitelisting and blacklisting:

• Arguments --include-repos and --exclude-repos are mutually exclusive.
• If either --include-repos or --exclude-repos argument refers a repository name that does not exist in source ECR, such name is ignored, and no error is arisen.

Notes about sensitive authentication data:

• --verbose flag enables printing varios debugging information, but hides AWS authorization tokens.
• --verbose-auth flag enables printing varios debugging information like --verbose flag does, including AWS authorization tokens.