ECR IAM Policies
Login
Push and pull images (read/write) in a specific repository
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRPushPullImage",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}"
}
]
}
data "aws_iam_policy_document" "push_pull_images_repository" {
statement {
sid = "ECRPushPullImage"
effect = "Allow"
resources = ["arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}"]
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
]
}
}
Pull images (read-only) from a specific repository
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRPushImage",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}"
}
]
}
data "aws_iam_policy_document" "pull_images_repository" {
statement {
sid = "ECRPushImage"
effect = "Allow"
resources = ["arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}"]
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer",
]
}
}
Login (Public Registry)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EcrPublicLogin",
"Effect": "Allow",
"Action": [
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}
data "aws_iam_policy_document" "login_public" {
statement {
sid = "EcrPublicLogin"
effect = "Allow"
resources = ["*"]
actions = [
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken",
]
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EcrLogin",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
data "aws_iam_policy_document" "login" {
statement {
sid = "EcrLogin"
effect = "Allow"
resources = ["*"]
actions = ["ecr:GetAuthorizationToken"]
}
}
Push images to a specific public repository
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRPushPublicImage",
"Effect": "Allow",
"Action": [
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:CompleteLayerUpload",
"ecr-public:DescribeImages",
"ecr-public:InitiateLayerUpload",
"ecr-public:PutImage",
"ecr-public:UploadLayerPart"
],
"Resource": "arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}"
}
]
}
data "aws_iam_policy_document" "push_images_public_repository" {
statement {
sid = "ECRPushPublicImage"
effect = "Allow"
resources = ["arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}"]
actions = [
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:CompleteLayerUpload",
"ecr-public:DescribeImages",
"ecr-public:InitiateLayerUpload",
"ecr-public:PutImage",
"ecr-public:UploadLayerPart",
]
}
}