Repository policy examples
The following examples show policy statements that you could use to control the permissions that authenticated users have to Amazon ECR repositories.
Amazon ECR requires that users have permission to make calls to the
ecr:GetAuthorizationToken API through an IAM policy before they
can authenticate to a registry and push or pull any images from any Amazon ECR
repository. Amazon ECR provides several managed IAM policies to control user access
at
varying levels; for more information, see Amazon Elastic Container Registry Identity-Based Policy
Examples.
Example: Allow one or more IAM users
The following repository policy allows one or more IAM users to push and pull images to and from a repository.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account-id:user/push-pull-user-1", "arn:aws:iam::account-id:user/push-pull-user-2" ] }, "Action": [ "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:GetDownloadUrlForLayer", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ] } ] }
Example: Allow another account
The following repository policy allows a specific account to push images.
The account you are granting permissions to must have the Region you are creating the repository policy in enabled, otherwise an error will occur.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowCrossAccountPush", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:root" }, "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ] } ] }
The following repository policy allows some IAM users to pull images
(pull-user-1 and
pull-user-2) while providing full access to another
(admin-user).
For more complicated repository policies that are not currently supported in the AWS Management Console, you can apply the policy with the set-repository-policy AWS CLI command.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account-id:user/pull-user-1", "arn:aws:iam::account-id:user/pull-user-2" ] }, "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ] }, { "Sid": "AllowAll", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:user/admin-user" }, "Action": [ "ecr:*" ] } ] }
Example: Allow all users in an IAM group to pull images
The following repository policy allows all users in an IAM group to pull images. For more information about IAM groups, see IAM user groups in the IAM User Guide.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPull", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:group/group-name" }, "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ] } ] }
Example: Deny all
The following repository policy denies all users in all accounts the ability to pull images.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "DenyPull", "Effect": "Deny", "Principal": "*", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ] } ] }
Example: Restricting access to specific IP addresses
The following example grants permissions to any user to perform any Amazon ECR operations when applied to a repository. However, the request must originate from the range of IP addresses specified in the condition.
The condition in this statement identifies the 54.240.143.* range of
allowed Internet Protocol version 4 (IPv4) IP addresses, with one exception:
54.240.143.188.
The Condition block uses the IpAddress and
NotIpAddress conditions and the aws:SourceIp condition
key, which is an AWS-wide condition key. For more information about these
condition keys, see AWS Global
Condition Context Keys. Theaws:sourceIp IPv4 values use the
standard CIDR notation. For more information, see IP Address Condition Operators in the IAM User Guide.
{ "Version": "2012-10-17", "Id": "ECRPolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": "*", "Action": "ecr:*", "Condition": { "NotIpAddress": { "aws:SourceIp": "54.240.143.188/32" }, "IpAddress": { "aws:SourceIp": "54.240.143.0/24" } } } ] }
Example: Service-linked role
The following repository policy allows AWS CodeBuild access to the Amazon ECR API actions necessary for integration with that service. For more information, see Amazon ECR Sample for CodeBuild in the AWS CodeBuild User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CodeBuildAccess", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ] } ] }
