Skip to content

Harbor Replication Issue with ECR in another AWS account #21828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sergdpi opened this issue Apr 4, 2025 · 3 comments
Open

Harbor Replication Issue with ECR in another AWS account #21828

sergdpi opened this issue Apr 4, 2025 · 3 comments
Labels
help wanted The issues that is valid but needs help from community replication/adapters related to replication adapters

Comments

@sergdpi
Copy link

sergdpi commented Apr 4, 2025

Harbor is running in an EKS cluster with a service account that has an IAM role, in AWS account 11111111.
Harbor is configured to replicate images to an ECR repository in AWS account 22222222. The IAM role for Harbor has been granted access to the ECR in account 22222222. Additionally, Harbor has access to the ECR in the same AWS account (11111111) where it is running.

Expected Behavior:
Harbor should create a repository and upload an image directly to the target ECR in AWS account 22222222.

Actual Behavior:
Harbor creates a repository in AWS account 11111111 and uploads the image to the ECR in AWS account 22222222 only if the repository already exists.

Steps to Reproduce:

  1. Configure Harbor to run in an EKS cluster with a service account that has an IAM role in AWS account 11111111.
  2. Attach an ECR repository in AWS account 22222222 to Harbor.
  3. Configure access to the ECR for the Harbor IAM role.
  4. Set up replication (event based) from Harbor to the remote ECR in AWS account 22222222.
  5. Trigger a replication task.

Versions:
Please specify the versions of following systems.

  • harbor version: v2.12.2-73072d0d
  • helm chart version: 1.16.2
  • EKS: 1.29

Additional Information:

  • The IAM role for Harbor has the necessary permissions to create repositories and upload images in both AWS accounts.
  • The errors occur only when there is no access to ECR in the same AWS account where the Harbor is running:
    Failed to do the prepare work for pushing/uploading resources: AccessDeniedException: User: arn:aws:sts::11111111:assumed-role/eks-eu-west-1-harbor/eks-... is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:eu-west-1:11111111:repository/container-registry/app because no identity-based policy allows the ecr:DescribeRepositories action status code: 400, request id: 7a6a..
    event_based
@wy65701436
Copy link
Contributor

Let me clarify: You’ve set up an ECR registry endpoint with the account 22222222 in Harbor and triggered a push replication from Harbor to ECR, correct?

If that’s the case, Harbor will only use the 22222222 account to interact with ECR, regardless of the account configured in your Harbor instance.

@sergdpi
Copy link
Author

sergdpi commented Apr 7, 2025

Correct, I’ve configured the Harbor to ECR registry endpoint with the account 22222222. The replication rule configured with this endpoint also.

@wy65701436 wy65701436 added replication/adapters related to replication adapters help wanted The issues that is valid but needs help from community labels Apr 7, 2025
@wy65701436
Copy link
Contributor

hi @sergdpi since the ECR is maintaining by the community, I will try to ping the owner to check this out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted The issues that is valid but needs help from community replication/adapters related to replication adapters
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wy65701436 @sergdpi