We Keep Coding

Sharing ECR repository within AWS organiztion

How can I share a repository in AWS ECR with all other accounts in organization? From what I have read here and elswere it seems like resource based permissions are the way to go. Namely it is suggested to add aws:PrincipalOrgID condition to a resource. However, when I use Account-A within organization to share the resource I still do not see that resource appearing in private repositories list in Account-B of the same organization. At this point I have exousted all the ideas and just don't understand how to move forward. I am very new to AWS.
Here is how my private repository is configured
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadonlyAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:ListImages"
],
"Condition": {
"StringLike": {
"aws:PrincipalOrgID": "o-orgniztion"
}
}
}
]
}

According to This post you can use
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths":["o-xxxxxxxxxx/r-xxxx/ou-xxxx-xxxxxxxx/*"]
}
}

Unable to Create Policy for AWS ECR

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
]
}
]
}
Command I try to use is:
aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json
If I do ls in my linux machine I can see this ecr-policy.json in same folder where I run this command.
I want to grant access to myself.
I am always getting error:
An error occurred (InvalidParameterException) when calling the SetRepositoryPolicy operation: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
I checked my AWS ARN and it ends with root.

i want to grant access to myself.
You don't need a resource section because this statement will be attached to a specific repository. Try add the following statement at Console > ECR > Repositories > [Select a repo on the Images table] > Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account #>:user/<your IAM user name>",
"arn:aws:iam::<account #>:root"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
NOTE: Replace <account #> with your AWS account ID.

Remove Resource in Policy json file
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Or you can set on AWS Console
Go to Amazon ECR > Repositories
Create Repository
Click what your create Repository
and go to permissions tab
Edit permissions -> Input the above json file

try resource in a format:
arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html

Adding an account ID to an ECR image repository permissions

Using the aws CLI I'm trying to find a way to add an account ID to an ecr image repositories permissions without having to rewrite the whole json. is there an easy way to do this?
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111:root",
"arn:aws:iam::222:root",
"arn:aws:iam::333:root",
"arn:aws:iam::444:root",
"arn:aws:iam::<ADD_NEW_ACCOUNT_HERE>:root",
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
]
}
]
}

AWS ECR - Apply IAM policy that applies to all repositories and not individually

I am trying to set cross account access to ECR repositories.
The only way I get to make it work is setting permission individually for each repository.
{
"Statement": [
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage"
],
"Principal": {
"AWS": [
"arn:aws:iam::my-other-cross-account:root"
]
},
"Effect": "Allow",
"Sid": "new statement"
}
],
"Version": "2008-10-17"
}
But I have many repositories and I would like to do it just once that apply for all repositories.
I also have set iam global roles to be assumed from other accout but it does not work and the only way to make it work is individually settting for each repository.
Thanks

Limit users from pushing/pulling specific Docker images in AWS ECS Repo

Is there a way to give users permission only to push/pull specific Docker images they own in AWS ECS Repo?

By this time you might have the solution, but sharing some info here:
Consider 2 users with the following permissions:
ecr-user with policy ARN: arn:aws:iam::aws:policy/AdministratorAccess who have admin permissions for all resources in AWS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
vault-user with policy ARN :arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy who has limited permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
You can get this info from IAM->Users and click on the Policy name attached to the user.
Consider below 2 repositories which are associated with users ecr-user and vault-user
the repo ecr-permissions is linked with ecr-user with the following permissions:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "denyAdmin",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::****:user/ecr-user"
},
"Action": [
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:ListImages",
"ecr:PutImage",
"ecr:PutLifecyclePolicy",
"ecr:UploadLayerPart"
]
}
]
}
So with the above policy, you can even restrict admin user(ecr-user) to push to this repo.
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions:1.0
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/ecr-user is not authorized to perform: ecr:UploadLayerPart on resource: arn:aws:ecr:us-east-1:****:repository/ecr-permissions with an explicit deny
Similarly, you can allow non-admin/user[in this case vault-user] with read-only permission on ECR repo can push docker images by tuning the ECR repo policies as shown below.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "pushDocker",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::****:user/vault-user"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Before adding the above policy:
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr:0.3
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/vault-user is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:****:repository/rlokinen/first-ecr
after adding the policy:
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr:0.3
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
0.3: digest: sha256:dc85890ba9763fe38b178b337d4ccc802874afe3c02e6c98c304f65b08af958f size: 948
These policies are defined per REPO in ECR. ECR->Repositories-><REPO-NAME>permissions.

You can configure IAM users within your account to push and pull images.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::aws_account_id:user/push-pull-user-1",
"arn:aws:iam::aws_account_id:user/push-pull-user-2"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
Reference: documentation