1. Restricting repository access with AWS ECR policies

    TypeScript

    To restrict access to an AWS Elastic Container Registry (ECR) repository, we will create a repository and attach a repository policy to it. The repository policy is a JSON document that specifies the permissions for the repository.

    AWS ECR policies allow you to control who can access your repositories and the permissions they have over them. You can specify actions, like pushing and pulling images, and define who can perform these actions, perhaps limiting them to certain AWS IAM users or roles.

    In this Pulumi program, we will:

    1. Create an ECR repository.
    2. Define a policy document that only allows specific users to access the repository.
    3. Attach this policy to the newly created ECR repository.

    Here's how you might implement this using Pulumi and TypeScript.

    import * as aws from "@pulumi/aws"; // Create an ECR repository const repo = new aws.ecr.Repository("my-repo", {}); // Define a resource policy for the ECR repository. // The policy grants permission to perform ECR actions (like `ecr:GetDownloadUrlForLayer`) // only to the specified principal. Replace 'arn:aws:iam::123456789012:root' with your actual IAM user/role ARN. const repoPolicyJson = JSON.stringify({ Version: "2012-10-17", Statement: [ { Sid: "AllowPushPull", Effect: "Allow", Principal: { AWS: "arn:aws:iam::123456789012:root" // Replace with your IAM user or role ARN }, Action: [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload" ], Resource: repo.arn // Reference the ARN of the created repository } ] }); // Attach the policy to the repository const repoPolicy = new aws.ecr.RepositoryPolicy("my-repo-policy", { repository: repo.name, policy: repoPolicyJson }); // Export the repository URL export const repositoryUrl = repo.repositoryUrl;

    When the program runs, it performs the following actions:

    • The aws.ecr.Repository resource creates a new ECR repository named my-repo.
    • We prepare a policy in JSON format, which defines who can perform actions on the ECR repository. In this example, you need to replace 'arn:aws:iam::123456789012:root' with the ARN of the IAM user or role that you want to grant access to the repository.
    • The aws.ecr.RepositoryPolicy resource associates the specified policy with the previously created ECR repository.
    • Finally, it exports the repository's URL, which can be used to push and pull images.

    Make sure to replace the placeholder ARN with actual IAM user or role ARN who needs access to the repository. Also, adjust the actions according to the level of access required. If you want to grant read-only access, you would include only the Get and BatchGet actions in the policy. For write access, include PutImage, and the related layer upload actions.

    Run this program using the Pulumi CLI. Use pulumi up to create the resources and pulumi destroy to clean up. Remember to log in to your Pulumi account and set up your AWS credentials before running this program.