I want to restrict an EC2 instance to EC2 container registry (ECR) repositories with the same namespace.
The IAM instance role should only can pull all repositories under AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/test-namespace/...
. Nothing else.
I've tried the following IAM policy on an EC2 instance role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490955256000",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage"
],
"Resource": [
"arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/test-namespace/*"
]
}
]
}
But I was able to docker pull
images from all repositories on that instance. E.g. AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/test-repo:latest
I don't see what I did wrong. It can't be the resource-level permissions. All of the above actions support them, except ecr:GetAuthorizationToken
.
As we have many repositories, I don't want to do set resource permissions on each repository.
ecr:GetAuthorizationToken
does not support resource-level permissions. You'll need to grant "Resource": "*"
to the ecr:GetAuthorizationToken
action. The other actions can be restricted to the specific resources you wish to access.
In a policy, that would look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490955256000",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1490955256001",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage"
],
"Resource": [
"arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/test-namespace/*"
]
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With