I am trying to grant access to a Elastice Container Repository to a group of users and I use the following managed policies:
AmazonEC2ContainerRegistryPowerUser
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}
]
}
AmazonEC2ContainerRegistryReadOnly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
But the users get the following error:
There was an error fetching the repositories: User: arn:aws:iam::XXXXX:user/USERA is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:us-east-1:XXXX:repository/* with an explicit deny
What am I doing wrong?
You probably have another policy attached that denies the ecr:DescribeRepositories permission. Refer to the policy evaluation flowchart in the AWS docs to see how this works. You should look at the complete permission set associated with the user and look for the policy that has the explicit deny.
Related
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
]
}
]
}
Command I try to use is:
aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json
If I do ls in my linux machine I can see this ecr-policy.json in same folder where I run this command.
I want to grant access to myself.
I am always getting error:
An error occurred (InvalidParameterException) when calling the SetRepositoryPolicy operation: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
I checked my AWS ARN and it ends with root.
i want to grant access to myself.
You don't need a resource section because this statement will be attached to a specific repository. Try add the following statement at Console > ECR > Repositories > [Select a repo on the Images table] > Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account #>:user/<your IAM user name>",
"arn:aws:iam::<account #>:root"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
NOTE: Replace <account #> with your AWS account ID.
Remove Resource in Policy json file
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Or you can set on AWS Console
Go to Amazon ECR > Repositories
Create Repository
Click what your create Repository
and go to permissions tab
Edit permissions -> Input the above json file
try resource in a format:
arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html
Using the aws CLI I'm trying to find a way to add an account ID to an ecr image repositories permissions without having to rewrite the whole json. is there an easy way to do this?
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111:root",
"arn:aws:iam::222:root",
"arn:aws:iam::333:root",
"arn:aws:iam::444:root",
"arn:aws:iam::<ADD_NEW_ACCOUNT_HERE>:root",
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
]
}
]
}
I am trying to set cross account access to ECR repositories.
The only way I get to make it work is setting permission individually for each repository.
{
"Statement": [
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage"
],
"Principal": {
"AWS": [
"arn:aws:iam::my-other-cross-account:root"
]
},
"Effect": "Allow",
"Sid": "new statement"
}
],
"Version": "2008-10-17"
}
But I have many repositories and I would like to do it just once that apply for all repositories.
I also have set iam global roles to be assumed from other accout but it does not work and the only way to make it work is individually settting for each repository.
Thanks
I have created ecr repository to store docker images. I want to see if i can only provide read-only access to ec2 instance . My ec2 instance has been given a role which comprise of the perimssion : AmazonEC2ContainerRegistryReadOnly which can be seens as --
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
My ecr policy reads like:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "ecr repo policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::531523267983:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
But when i am trying to push a docker image from my ec2 instance to this repository , i am successfully able to push that , even though i have provided readonly access to my ec2 instance. Where am i going wrong
I am creating a Blockchain network using the AWS hyperledger fabric template.
The policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
Here is the error:
Embedded stack arn:aws:cloudformation:us-east-1:506678340351:stack/blockchainbook-FabricEC2CommonStack-8DF2HAE5AFA4/5f2804b0-4669-11ea-b41c-0ac97ebd7097 was not successfully created: The following resource(s) failed to create: [EC2InstanceForDev].