Sharing ECR repository within AWS organiztion - amazon-web-services

How can I share a repository in AWS ECR with all other accounts in organization? From what I have read here and elswere it seems like resource based permissions are the way to go. Namely it is suggested to add aws:PrincipalOrgID condition to a resource. However, when I use Account-A within organization to share the resource I still do not see that resource appearing in private repositories list in Account-B of the same organization. At this point I have exousted all the ideas and just don't understand how to move forward. I am very new to AWS.
Here is how my private repository is configured
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadonlyAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:ListImages"
],
"Condition": {
"StringLike": {
"aws:PrincipalOrgID": "o-orgniztion"
}
}
}
]
}

According to This post you can use
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths":["o-xxxxxxxxxx/r-xxxx/ou-xxxx-xxxxxxxx/*"]
}
}

Related

Unable to Create Policy for AWS ECR

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
]
}
]
}
Command I try to use is:
aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json
If I do ls in my linux machine I can see this ecr-policy.json in same folder where I run this command.
I want to grant access to myself.
I am always getting error:
An error occurred (InvalidParameterException) when calling the SetRepositoryPolicy operation: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
I checked my AWS ARN and it ends with root.
i want to grant access to myself.
You don't need a resource section because this statement will be attached to a specific repository. Try add the following statement at Console > ECR > Repositories > [Select a repo on the Images table] > Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account #>:user/<your IAM user name>",
"arn:aws:iam::<account #>:root"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
NOTE: Replace <account #> with your AWS account ID.
Remove Resource in Policy json file
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Or you can set on AWS Console
Go to Amazon ECR > Repositories
Create Repository
Click what your create Repository
and go to permissions tab
Edit permissions -> Input the above json file
try resource in a format:
arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html

Restricting access to AWS resources to one specific region

I am trying to have my lambda full access restricted to a particular region.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"events:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"lambda:*",
"logs:*",
"s3:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}
This is my policy.
but currently, it is not working user is still able to access lambda and it's full access in another region.
what am I missing here?
Your IAM user(s) are probably allowed to perform your actions in different regions, because your policy is Allow only and they have other policies that allow unrestricted access.
To overcome the issue you can use Deny statement in the policy, as explained in AWS: Denies access to AWS based on the requested Region. Deny always wins, which means that the policy will have precedence over any allows.
So your policy, based on the AWS docs linked, could be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"events:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"lambda:*",
"logs:*",
"s3:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}
Note, that in the AWS docs they also use NotAction, instead of Action. So you have to take into account what you wish your users to be able to do, or not do. But in your case, I think Action is fine.

AWS ECR - Apply IAM policy that applies to all repositories and not individually

I am trying to set cross account access to ECR repositories.
The only way I get to make it work is setting permission individually for each repository.
{
"Statement": [
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage"
],
"Principal": {
"AWS": [
"arn:aws:iam::my-other-cross-account:root"
]
},
"Effect": "Allow",
"Sid": "new statement"
}
],
"Version": "2008-10-17"
}
But I have many repositories and I would like to do it just once that apply for all repositories.
I also have set iam global roles to be assumed from other accout but it does not work and the only way to make it work is individually settting for each repository.
Thanks

Restricting EC2 instance to have read Only Access to ECR repository

I have created ecr repository to store docker images. I want to see if i can only provide read-only access to ec2 instance . My ec2 instance has been given a role which comprise of the perimssion : AmazonEC2ContainerRegistryReadOnly which can be seens as --
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
My ecr policy reads like:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "ecr repo policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::531523267983:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
But when i am trying to push a docker image from my ec2 instance to this repository , i am successfully able to push that , even though i have provided readonly access to my ec2 instance. Where am i going wrong

Limit users from pushing/pulling specific Docker images in AWS ECS Repo

Is there a way to give users permission only to push/pull specific Docker images they own in AWS ECS Repo?
By this time you might have the solution, but sharing some info here:
Consider 2 users with the following permissions:
ecr-user with policy ARN: arn:aws:iam::aws:policy/AdministratorAccess who have admin permissions for all resources in AWS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
vault-user with policy ARN :arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy who has limited permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
You can get this info from IAM->Users and click on the Policy name attached to the user.
Consider below 2 repositories which are associated with users ecr-user and vault-user
the repo ecr-permissions is linked with ecr-user with the following permissions:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "denyAdmin",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::****:user/ecr-user"
},
"Action": [
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:ListImages",
"ecr:PutImage",
"ecr:PutLifecyclePolicy",
"ecr:UploadLayerPart"
]
}
]
}
So with the above policy, you can even restrict admin user(ecr-user) to push to this repo.
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions:1.0
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/ecr-user is not authorized to perform: ecr:UploadLayerPart on resource: arn:aws:ecr:us-east-1:****:repository/ecr-permissions with an explicit deny
Similarly, you can allow non-admin/user[in this case vault-user] with read-only permission on ECR repo can push docker images by tuning the ECR repo policies as shown below.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "pushDocker",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::****:user/vault-user"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Before adding the above policy:
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr:0.3
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/vault-user is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:****:repository/rlokinen/first-ecr
after adding the policy:
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr:0.3
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
0.3: digest: sha256:dc85890ba9763fe38b178b337d4ccc802874afe3c02e6c98c304f65b08af958f size: 948
These policies are defined per REPO in ECR. ECR->Repositories-><REPO-NAME>permissions.
You can configure IAM users within your account to push and pull images.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::aws_account_id:user/push-pull-user-1",
"arn:aws:iam::aws_account_id:user/push-pull-user-2"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
Reference: documentation