AWS::ECR::RegistryPolicy
The AWS::ECR::RegistryPolicy resource creates or updates the permissions
policy for a private registry.
A private registry policy is used to specify permissions for another AWS account and is used when configuring cross-account replication. For more information, see Registry permissions in the Amazon Elastic Container Registry User Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::ECR::RegistryPolicy", "Properties" : { "PolicyText" :Json} }
YAML
Type: AWS::ECR::RegistryPolicy Properties: PolicyText:Json
Properties
PolicyText-
The JSON policy text for your registry.
Required: Yes
Type: Json
Update requires: No interruption
Return values
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
RegistryId-
The account ID of the private registry the policy is associated with.
Examples
Specify a registry policy for a private registry
The following example specifies a private registry policy in
us-west-2 that grants permission for account
210987654321 to create repositories and replicate their
contents to your private registry.
JSON
"TestRegistryPolicy": { "Type": "AWS::ECR::RegistryPolicy", "Properties": { "PolicyText": { "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::210987654321:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": "arn:aws:ecr:us-west-2:123456789012:repository/*" } ] } } }
YAML
Resources: TestRegistryPolicy: Type: 'AWS::ECR::RegistryPolicy' Properties: PolicyText: Version: 2012-10-17 Statement: - Sid: UpdatedRegistryPolicy Effect: Allow Principal: AWS: 'arn:aws:iam::210987654321:root' Action: - 'ecr:CreateRepository' - 'ecr:ReplicateImage' Resource: 'arn:aws:ecr:us-west-2:123456789012:repository/*'
