Menu
This CF template fails:
MyECSrepo:
Type: "AWS::ECR::Repository"
Properties:
RepositoryName: !Ref RepoName
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Sid: AllowAll
Effect: Allow
Principal:
AWS:
- arn:aws:iam::00000000000:group/admin
Action:
- "ecr:*"
The stack creation produces this error:
Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
What might the problem be?
485
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM.
Embedded Crystal (ECR) is a template language for embedding Crystal code into other text, that includes but is not limited to HTML. The template is read and transformed at compile time and then embedded into the binary.
The error can have a few meanings: You are not authorized because you do not have ECR policy attached to your user. You are not authorized because you are using 2FA and using cli is not secure unless you set a temporary session token. You provided invalid credentials.
Having a read of the documentation around ECR Repository Policy, it turns out it's limited to users and root accounts for the Principal list. So you will probably need to swap out to listing all the users you want to give access to.
Amazon documentation has some samples has some examples of what you can do with it.
119
Just in case duke of muppets link breaks, here is an example. I had trouble today with the automatically created json. This seemed to fix it.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<id number of root user here>>:user/<<some iam user>>"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
