Private registry policy examples - Amazon ECR

Private registry policy examples

The following examples show registry permission policy statements that you could use to control the permissions that users have to your Amazon ECR registry.

Example: Allow the root user of a source account to replicate all repositories

{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] } ] }

Example: Allow multiple accounts

{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] }, { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] } ] }

Example: Allow the root user of a source account to replicate all repositories starting with prod-

{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/prod-*" ] } ] }

Example: Allow the root user of a source account to replicate all repositories starting with prod-

If the ecr:CreateRepository action is removed from your registry permission statement, you can replicate your repositories. However, for successful replication, you need to create repositories with the same name within your account.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] } ] }