1. Answers
  2. Create an AWS ECR Repository Policy

How Do I Build an AWS ECR RepositoryPolicy?

Introduction

Managing permissions for an Amazon Elastic Container Registry (ECR) repository is crucial for maintaining security and control over who can access and perform actions on your Docker images. An ECR repository policy allows you to specify these permissions clearly. This guide will walk you through the process of creating an ECR repository and attaching a policy to manage access.

Step-by-Step Guide

Step 1: Define the ECR Repository

The first step is to create an ECR repository where your Docker images will be stored.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an AWS ECR repository
const myRepo = new aws.ecr.Repository("my_repo", {name: "my-repo"});

Step 2: Create the Repository Policy

Next, define an IAM policy document that specifies the actions allowed on the repository. This example allows actions such as GetDownloadUrlForLayer, BatchGetImage, and BatchCheckLayerAvailability.

// Define the ECR repository policy
const ecrPolicy = aws.iam.getPolicyDocumentOutput({
    statements: [{
        actions: [
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
        ],
        resources: [myRepo.arn],
        principals: [{
            identifiers: ["*"],
            type: "AWS",
        }],
        effect: "Allow",
    }],
});

Step 3: Attach the Policy to the Repository

With the policy defined, attach it to the ECR repository to enforce the specified permissions.

// Attach the repository policy to the ECR repository
const myRepoPolicy = new aws.ecr.RepositoryPolicy("my_repo_policy", {
    repository: myRepo.name,
    policy: ecrPolicy.apply(ecrPolicy => ecrPolicy.json),
});

Step 4: Output the Repository URL

Finally, output the repository’s URI, which can be used to access the repository.

export const repositoryUrl = myRepo.repositoryUrl;

Key Points

  • ECR Repository Creation: Establishes a storage location for Docker images.
  • Policy Definition: Specifies allowed actions and resources, granting necessary permissions.
  • Policy Attachment: Associates the policy with the repository to enforce access control.
  • Repository URL Output: Provides a URI for accessing the repository.

Conclusion

By following these steps, you create an AWS ECR repository with a policy that manages access permissions effectively. This setup ensures that only authorized actions are allowed, maintaining the security and integrity of your Docker images stored in the ECR repository. This approach provides a structured and controlled method to handle repository access in AWS.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up