How Do I Assign IAM Users Access to ECR Repositories?

Introduction

This guide explains how to assign IAM users access to AWS Elastic Container Registry (ECR) repositories using Pulumi. By following this guide, you will learn to create an ECR repository, define IAM users, and attach policies that enable these users to interact with the ECR repository.

Step-by-Step Guide

1. Create an ECR Repository: Begin by creating an ECR repository using Pulumi’s AWS SDK. This repository will store container images.

   import * as pulumi from "@pulumi/pulumi";
   import * as aws from "@pulumi/aws";
   
   // Create an ECR repository
   const ecrRepository = new aws.ecr.Repository("my-repo", {
       name: "my-repo",
   });
   

2. Create an IAM User: Next, create an IAM user who will be granted access to the ECR repository.

   // Create an IAM user
   const user = new aws.iam.User("ecrUser", {
       name: "ecrUser",
   });
   

3. Define an IAM Policy: Define a policy that grants the IAM user permissions to interact with the ECR repository. This includes actions such as downloading and uploading images.

   // Define a policy that allows the user to access the ECR repository
   const ecrPolicy = new aws.iam.Policy("ecrPolicy", {
       description: "Policy to allow ECR actions",
       policy: ecrRepository.arn.apply(arn => JSON.stringify({
           Version: "2012-10-17",
           Statement: [
               {
                   Effect: "Allow",
                   Action: [
                       "ecr:GetDownloadUrlForLayer",
                       "ecr:BatchGetImage",
                       "ecr:BatchCheckLayerAvailability",
                       "ecr:PutImage",
                       "ecr:InitiateLayerUpload",
                       "ecr:UploadLayerPart",
                       "ecr:CompleteLayerUpload",
                   ],
                   Resource: arn,
               },
           ],
       })),
   });
   

4. Attach the Policy to the User: Attach the defined IAM policy to the IAM user, allowing them to perform the specified actions on the ECR repository.

   // Attach the policy to the user
   const userPolicyAttachment = new aws.iam.UserPolicyAttachment("userPolicyAttachment", {
       user: user.name,
       policyArn: ecrPolicy.arn,
   });
   

5. Export the ECR Repository URL: Finally, export the repository URL for easy reference.

   // Export the ECR repository URL
   export const repositoryUrl = ecrRepository.repositoryUrl;
   

Summary

In this guide, we demonstrated how to use Pulumi to create an AWS ECR repository and configure IAM user access by attaching a policy with the necessary permissions. This setup allows IAM users to manage container images within the ECR repository efficiently. By following these steps, you can ensure secure and controlled access to your ECR resources.