Public repository policy examples - Amazon ECR Public

Public repository policy examples

The following examples show policy statements that you could use to control the permissions that users have to your public repositories.


Amazon ECR requires that users have permission to make calls to the ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.

Example: Allow an IAM user within your account

The following repository policy allows IAM users within your account to push images.

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPush", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account-id:user/push-pull-user-1", "arn:aws:iam::account-id:user/push-pull-user-2" ] }, "Action": [ "ecr-public:BatchCheckLayerAvailability", "ecr-public:PutImage", "ecr-public:InitiateLayerUpload", "ecr-public:UploadLayerPart", "ecr-public:CompleteLayerUpload" ] } ] }

Example: Allow another account

The following repository policy allows a specific account to push images.

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowCrossAccountPush", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:root" }, "Action": [ "ecr-public:BatchCheckLayerAvailability", "ecr-public:PutImage", "ecr-public:InitiateLayerUpload", "ecr-public:UploadLayerPart", "ecr-public:CompleteLayerUpload" ] } ] }