{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
]
}
]
}
Command I try to use is:
aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json
If I do ls in my linux machine I can see this ecr-policy.json in same folder where I run this command.
I want to grant access to myself.
I am always getting error:
An error occurred (InvalidParameterException) when calling the SetRepositoryPolicy operation: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
I checked my AWS ARN and it ends with root.
i want to grant access to myself.
You don't need a resource section because this statement will be attached to a specific repository. Try add the following statement at Console > ECR > Repositories > [Select a repo on the Images table] > Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account #>:user/<your IAM user name>",
"arn:aws:iam::<account #>:root"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
NOTE: Replace <account #> with your AWS account ID.
Remove Resource in Policy json file
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Or you can set on AWS Console
Go to Amazon ECR > Repositories
Create Repository
Click what your create Repository
and go to permissions tab
Edit permissions -> Input the above json file
try resource in a format:
arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html
Related
I am trying to create a Glue job in an account that has full access to all resources
The script gets generated but when I try and save it I get the following error
[gluestudio-service.us-east-1.amazonaws.com] createJob: AccessDeniedException: Account XXXXX is denied access.
The role I am using has nothing fancy in it and has full access to glue and all S3 resources.
Its not an organisational account
Any insight would be greatly appreciated
I am using the managed AWSGlueServiceRole as well as the AmazonS3FullAccess roles
I have added the follwoing
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:UseGlueStudio",
"iam:ListRoles",
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetRolePolicy",
"glue:SearchTables",
"glue:GetConnections",
"glue:GetJobs",
"glue:GetTables",
"glue:BatchStopJobRun",
"glue:GetSecurityConfigurations",
"glue:DeleteJob",
"glue:GetDatabases",
"glue:CreateConnection",
"glue:GetSchema",
"glue:GetTable",
"glue:GetMapping",
"glue:CreateJob",
"glue:DeleteConnection",
"glue:CreateScript",
"glue:UpdateConnection",
"glue:GetConnection",
"glue:StartJobRun",
"glue:GetJobRun",
"glue:UpdateJob",
"glue:GetPlan",
"glue:GetJobRuns",
"glue:GetTags",
"glue:GetJob"
],
"Resource": "*"
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/AWSGlueServiceRole*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com"
]
}
}
}
]
}```
Add Trusted Policy like the following in the Role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}
I've created a role with an attached Policy "AmazonSSMManagedInstanceCore":
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
And Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I've then attached the IAM role to the instance. When I start the SSM agent in the instance I get the following error:
2022-03-16 23:14:49 ERROR [HandleAwsError # awserr.go.49] [ssm-agent-worker] [MessageService] [MDSInteractor] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/SSMandCloudWatch/i-YYYYY is not authorized to perform: ec2messages:GetMessages on resource: arn:aws:ssm:eu-central-1:XXXX:* with an explicit deny in a service control policy
status code: 400, request id: zzzz
The call it's complaining about is explicitly allowed in the policy. I've tried restarting the agent but didn't make any difference.
AWS permission evaluation can be complex. I like this AWS diagram below, so it is a good one to follow to track down permissions issues.
So there are a few other things to check or be aware of that could still be limiting access.
Using the aws CLI I'm trying to find a way to add an account ID to an ecr image repositories permissions without having to rewrite the whole json. is there an easy way to do this?
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111:root",
"arn:aws:iam::222:root",
"arn:aws:iam::333:root",
"arn:aws:iam::444:root",
"arn:aws:iam::<ADD_NEW_ACCOUNT_HERE>:root",
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
]
}
]
}
I have created ecr repository to store docker images. I want to see if i can only provide read-only access to ec2 instance . My ec2 instance has been given a role which comprise of the perimssion : AmazonEC2ContainerRegistryReadOnly which can be seens as --
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
My ecr policy reads like:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "ecr repo policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::531523267983:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
But when i am trying to push a docker image from my ec2 instance to this repository , i am successfully able to push that , even though i have provided readonly access to my ec2 instance. Where am i going wrong
Is there a way to give users permission only to push/pull specific Docker images they own in AWS ECS Repo?
By this time you might have the solution, but sharing some info here:
Consider 2 users with the following permissions:
ecr-user with policy ARN: arn:aws:iam::aws:policy/AdministratorAccess who have admin permissions for all resources in AWS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
vault-user with policy ARN :arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy who has limited permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
You can get this info from IAM->Users and click on the Policy name attached to the user.
Consider below 2 repositories which are associated with users ecr-user and vault-user
the repo ecr-permissions is linked with ecr-user with the following permissions:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "denyAdmin",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::****:user/ecr-user"
},
"Action": [
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:ListImages",
"ecr:PutImage",
"ecr:PutLifecyclePolicy",
"ecr:UploadLayerPart"
]
}
]
}
So with the above policy, you can even restrict admin user(ecr-user) to push to this repo.
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions:1.0
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/ecr-user is not authorized to perform: ecr:UploadLayerPart on resource: arn:aws:ecr:us-east-1:****:repository/ecr-permissions with an explicit deny
Similarly, you can allow non-admin/user[in this case vault-user] with read-only permission on ECR repo can push docker images by tuning the ECR repo policies as shown below.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "pushDocker",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::****:user/vault-user"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Before adding the above policy:
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr:0.3
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/vault-user is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:****:repository/rlokinen/first-ecr
after adding the policy:
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr:0.3
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
0.3: digest: sha256:dc85890ba9763fe38b178b337d4ccc802874afe3c02e6c98c304f65b08af958f size: 948
These policies are defined per REPO in ECR. ECR->Repositories-><REPO-NAME>permissions.
You can configure IAM users within your account to push and pull images.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::aws_account_id:user/push-pull-user-1",
"arn:aws:iam::aws_account_id:user/push-pull-user-2"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
Reference: documentation