Unfortunately AWS documentation doesn't give us full permission settings to pull images from ECR. And if you'll use only
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
}
]
}
... you'll get
iam-role/long-strange-number is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400
And what you really need is to set up ecr:GetAuthorizationToken rights to * resource. So full policy will be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "arn:aws:ecr:eu-central-1:*:repository/*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
Top comments (0)