Using Tag-Based Access Control

The Amazon ECR CreateRepository API action enables you to specify tags when you create the repository. For more information, see Tagging a private repository in Amazon ECR.

To enable users to tag repositories on creation, they must have permissions to use the action that creates the resource (for example, ecr:CreateRepository). If tags are specified in the resource-creating action, Amazon performs additional authorization on the ecr:CreateRepository action to verify if users have permissions to create tags.

You can use tag-based access control through IAM policies. The following are examples.

The following policy would only allow a user to create or tag a repository as key=environment,value=dev.

The following policy would allow a user to pull images from all repositories unless they were tagged as key=environment,value=prod.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity-based policy examples

AWS managed policies for Amazon ECR