How to Resolve Cross-Account ECR Docker Image Access in CodeBuild Project

Correct Answer - C.

AWS CodeBuild supports accessing cross-account ECR images according to.

https://aws.amazon.com/about-aws/whats-new/2019/01/aws-codebuild-now-supports-accessing-cross-account-ecr-images/.

Option A is incorrect: Because AWS managed image should not be used.

For ECR images, custom image should be configured.

Option B is incorrect: Because cross-account ECR image is supported.

Option C is CORRECT: Refer to the below example:

Option D is incorrect: Because external Docker registry is not used for AWS ECR.

Other registries such as public DockerHub would use external Docker registry.

The correct answer is C. Select custom image and choose ECR image registry. Enter the full ECR repository URI for the repository in the other account.

Explanation: AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. CodeBuild provides pre-configured build environments or custom build environments with the required dependencies and build tools. To build artifacts, CodeBuild uses an environment image, which is a Docker image that includes a complete file system with a pre-installed operating system, runtime, and other software required to perform the build.

ECR (Elastic Container Registry) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. ECR is integrated with other AWS services such as Amazon ECS, AWS Fargate, and CodeBuild.

In this scenario, the development team needs to use an ECR Docker image owned by the operations team, which is located in a different AWS account. To use this Docker image as the environment image in CodeBuild, the development team can follow the steps below:

1. Grant cross-account access to the ECR repository: The operations team needs to give permission to the development team to access the ECR repository in their AWS account. This can be done by creating a resource-based policy that allows the development team's AWS account to access the ECR repository. The policy can be attached to the ECR repository.

2. Get the ECR repository URI: The operations team needs to provide the ECR repository URI to the development team. The URI includes the AWS account ID and the repository name, for example:

   <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<repository_name>

3. Create a custom CodeBuild environment image: The development team can create a custom environment image in CodeBuild and specify the ECR repository URI as the image location. To do this, they can choose Custom image for the environment type and select ECR image registry for the image location. They can then enter the ECR repository URI in the Repository URL field.

4. Build the artifacts: Once the custom environment image is created, the development team can use it to build their artifacts in CodeBuild. The build process will pull the required Docker image from the ECR repository in the operations team's AWS account.

Option A is not the correct answer because pulling the ECR Docker image from another account in the AWS managed Ubuntu image is not possible.

Option B is not the correct answer because CodeBuild supports cross-account access to ECR repositories. The development team can access the ECR repository in the operations team's AWS account by following the steps mentioned above.

Option D is not the correct answer because it suggests using an external Docker registry, which is not required in this scenario as the ECR repository is already available in an AWS account.