Real Amazon ECR Repository Pull Policy

#note #devops #aws #ecr

Unfortunately AWS documentation doesn't give us full permission settings to pull images from ECR. And if you'll use only

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    }
  ]
}

... you'll get
iam-role/long-strange-number is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400

And what you really need is to set up ecr:GetAuthorizationToken rights to * resource. So full policy will be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "arn:aws:ecr:eu-central-1:*:repository/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

DEV Community

Real Amazon ECR Repository Pull Policy

Top comments (0)

Read next

Unlock 100% Persistent Storage for Docker Containers in 5 Steps

Resilience in the Cloud - Fault Isolation Boundaries

Introduction to Kubernetes and AWS EKS - Part 1

How to Install WKHTMLTOPDF with Patched QT on Ubuntu and CentOS 8