Amazon ECR IAM Policies and Roles
By default, IAM users don't have permission to create or modify Amazon ECR resources, or perform tasks using the Amazon ECR API. (This means that they also can't do so using the Amazon ECR console or the AWS CLI.) To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permission to use the specific resources and API operations they'll need, and then attach those policies to the IAM users or groups that require those permissions.
When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources. For more information, see Permissions and Policies and Managing IAM Policies in the IAM User Guide.
Likewise, Amazon ECS container instances make calls to the Amazon ECR APIs on your behalf (to pull Docker images that are used in Amazon ECS task definitions), so they need to authenticate with your credentials. This authentication is accomplished by creating an IAM role for your container instances and associating that role with your container instances when you launch them. For more information, see Amazon ECS Container Instance IAM Role in the Amazon EC2 Container Service Developer Guide. For more information about IAM roles, see IAM Roles in the IAM User Guide.
An IAM policy must grant or deny permission to use one or more Amazon ECR operations. It must also specify the resources that can be used with the operation, which can be all resources, or in some cases, specific resources. The policy can also include conditions that you apply to the resource.
Amazon ECR partially supports resource-level permissions. This means that for some Amazon ECS API operations, you cannot specify which resource a user is allowed to work with for that operation; instead, you have to allow users to work with all resources for that operation.