DEV Community

Vasiliy
Vasiliy

Posted on

Real Amazon ECR Repository Pull Policy

Unfortunately AWS documentation doesn't give us full permission settings to pull images from ECR. And if you'll use only

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    }
  ]
}

... you'll get

iam-role/long-strange-number is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400

And what you really need is to set up ecr:GetAuthorizationToken rights to * resource. So full policy will be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "arn:aws:ecr:eu-central-1:*:repository/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

Discussion (0)