Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restrict access to namespace in ECR

I want to restrict an EC2 instance to EC2 container registry (ECR) repositories with the same namespace.

The IAM instance role should only can pull all repositories under AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/test-namespace/.... Nothing else.

I've tried the following IAM policy on an EC2 instance role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1490955256000",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": [
                "arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/test-namespace/*"
            ]
        }
    ]
}

But I was able to docker pull images from all repositories on that instance. E.g. AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/test-repo:latest

I don't see what I did wrong. It can't be the resource-level permissions. All of the above actions support them, except ecr:GetAuthorizationToken.

As we have many repositories, I don't want to do set resource permissions on each repository.

like image 629
Dominik Avatar asked Oct 29 '22 09:10

Dominik


1 Answers

ecr:GetAuthorizationToken does not support resource-level permissions. You'll need to grant "Resource": "*" to the ecr:GetAuthorizationToken action. The other actions can be restricted to the specific resources you wish to access.

In a policy, that would look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1490955256000",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1490955256001",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": [
                "arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/test-namespace/*"
            ]
        }
    ]
}
like image 197
Samuel Karp Avatar answered Nov 15 '22 07:11

Samuel Karp