DEV Community

Vasiliy
Vasiliy

Posted on

Real Amazon ECR Repository Pull Policy

#note #devops #aws #ecr

Unfortunately AWS documentation doesn't give us full permission settings to pull images from ECR. And if you'll use only

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    }
  ]
}

... you'll get

iam-role/long-strange-number is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400

And what you really need is to set up ecr:GetAuthorizationToken rights to * resource. So full policy will be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "arn:aws:ecr:eu-central-1:*:repository/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

Top comments (0)

Read next

madriz03 profile image

VPC y Subredes en AWS - Parte 2: Configuración de Conectividad Segura entre Recursos y hacia Internet

Javier Madriz -

wojciech_piotrka_4898763 profile image

Getting Started with AWS Landing Zone: Tips for Terraform Setup

Wojciech Kaczmarczyk -

signadot profile image

Multitenancy Is Fundamental to Shift-Left Testing

Signadot -

r0mymendez profile image

Diagram-as-Code: Creating Dynamic and Interactive Documentation for Visual Content

Romina Mendez -