Using the aws CLI I'm trying to find a way to add an account ID to an ecr image repositories permissions without having to rewrite the whole json. is there an easy way to do this?
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111:root",
"arn:aws:iam::222:root",
"arn:aws:iam::333:root",
"arn:aws:iam::444:root",
"arn:aws:iam::<ADD_NEW_ACCOUNT_HERE>:root",
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
]
}
]
}
Related
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
]
}
]
}
Command I try to use is:
aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json
If I do ls in my linux machine I can see this ecr-policy.json in same folder where I run this command.
I want to grant access to myself.
I am always getting error:
An error occurred (InvalidParameterException) when calling the SetRepositoryPolicy operation: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
I checked my AWS ARN and it ends with root.
i want to grant access to myself.
You don't need a resource section because this statement will be attached to a specific repository. Try add the following statement at Console > ECR > Repositories > [Select a repo on the Images table] > Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account #>:user/<your IAM user name>",
"arn:aws:iam::<account #>:root"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
NOTE: Replace <account #> with your AWS account ID.
Remove Resource in Policy json file
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Or you can set on AWS Console
Go to Amazon ECR > Repositories
Create Repository
Click what your create Repository
and go to permissions tab
Edit permissions -> Input the above json file
try resource in a format:
arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html
I am super confused at the moment and struggling to work with AWS. I created a copilot app, created the services and later wanted to delete it. I deleted some stuff manually it seems and now I am left with an inoperable stackset that I cannot remove it. As the stack has to be empty but the stack instance is inoperable so I cant do anything to it
I have two roles, execution and admin, this is the execution role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*",
"s3:*",
"sns:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "StackSetRequiredPermissions"
},
{
"Action": [
"kms:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ManageKMSKeys"
},
{
"Action": [
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicyPreview",
"ecr:CreateRepository",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:DeleteLifecyclePolicy",
"ecr:DeleteRepository",
"ecr:SetRepositoryPolicy",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy",
"ecr:TagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ManageECRRepos"
}
]
}
And this is the admin
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*",
"s3:*",
"sns:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "StackSetRequiredPermissions"
},
{
"Action": [
"kms:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ManageKMSKeys"
},
{
"Action": [
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicyPreview",
"ecr:CreateRepository",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:DeleteLifecyclePolicy",
"ecr:DeleteRepository",
"ecr:SetRepositoryPolicy",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy",
"ecr:TagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ManageECRRepos"
}
]
}
They don't look quite right as I messed around with them to get this to work, but no luck.
Deleting the stackset and retaining the stack was the way to go. Afterwords I could manually delete the stack.
I am trying to grant access to a Elastice Container Repository to a group of users and I use the following managed policies:
AmazonEC2ContainerRegistryPowerUser
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}
]
}
AmazonEC2ContainerRegistryReadOnly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
But the users get the following error:
There was an error fetching the repositories: User: arn:aws:iam::XXXXX:user/USERA is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:us-east-1:XXXX:repository/* with an explicit deny
What am I doing wrong?
You probably have another policy attached that denies the ecr:DescribeRepositories permission. Refer to the policy evaluation flowchart in the AWS docs to see how this works. You should look at the complete permission set associated with the user and look for the policy that has the explicit deny.
I am trying to set cross account access to ECR repositories.
The only way I get to make it work is setting permission individually for each repository.
{
"Statement": [
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage"
],
"Principal": {
"AWS": [
"arn:aws:iam::my-other-cross-account:root"
]
},
"Effect": "Allow",
"Sid": "new statement"
}
],
"Version": "2008-10-17"
}
But I have many repositories and I would like to do it just once that apply for all repositories.
I also have set iam global roles to be assumed from other accout but it does not work and the only way to make it work is individually settting for each repository.
Thanks
I have created ecr repository to store docker images. I want to see if i can only provide read-only access to ec2 instance . My ec2 instance has been given a role which comprise of the perimssion : AmazonEC2ContainerRegistryReadOnly which can be seens as --
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
My ecr policy reads like:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "ecr repo policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::531523267983:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
But when i am trying to push a docker image from my ec2 instance to this repository , i am successfully able to push that , even though i have provided readonly access to my ec2 instance. Where am i going wrong