DEV Community 👩‍💻👨‍💻

Vasiliy
Vasiliy

Posted on

Real Amazon ECR Repository Pull Policy

Unfortunately AWS documentation doesn't give us full permission settings to pull images from ECR. And if you'll use only

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    }
  ]
}

... you'll get

iam-role/long-strange-number is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400

And what you really need is to set up ecr:GetAuthorizationToken rights to * resource. So full policy will be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "arn:aws:ecr:eu-central-1:*:repository/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

Top comments (0)

Regex for lazy developers

regex for lazy devs

You know who you are. Sorry for the callout 😆