loading...

Real Amazon ECR Repository Pull Policy

webchi profile image Vasiliy ・1 min read

Unfortunately AWS documentation doesn't give us full permission settings to pull images from ECR. And if you'll use only

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPull",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    }
  ]
}

... you'll get

iam-role/long-strange-number is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400

And what you really need is to set up ecr:GetAuthorizationToken rights to * resource. So full policy will be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "arn:aws:ecr:eu-central-1:*:repository/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

Discussion

pic
Editor guide