How do I build an AWS ECR RepositoryPolicy?
To manage permissions for an Amazon Elastic Container Registry (ECR) repository, you often need to define a repository policy. This policy specifies who can perform actions on the repository. Here, we’ll walk through creating an ECR repository and attaching a repository policy to it.
The main components we’ll define:
- An ECR repository to store Docker images.
- A repository policy to control access to the ECR repository.
Below is the code to achieve this:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create an AWS ECR repository
const myRepo = new aws.ecr.Repository("my_repo", {name: "my-repo"});
// Define the ECR repository policy
const ecrPolicy = aws.iam.getPolicyDocumentOutput({
statements: [{
actions: [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
],
resources: [myRepo.arn],
principals: [{
identifiers: ["*"],
type: "AWS",
}],
effect: "Allow",
}],
});
// Attach the repository policy to the ECR repository
const myRepoPolicy = new aws.ecr.RepositoryPolicy("my_repo_policy", {
repository: myRepo.name,
policy: ecrPolicy.apply(ecrPolicy => ecrPolicy.json),
});
export const repositoryUrl = myRepo.repositoryUrl;
In this example:
- We define an ECR repository named
my-repo
. - We create an IAM policy document specifying allowed actions such as
GetDownloadUrlForLayer
,BatchGetImage
, andBatchCheckLayerAvailability
for all principals. - This policy is then attached to the ECR repository using the
aws_ecr_repository_policy
resource. - Finally, we output the repository’s URI using a stack export.
This creates a secure and controlled way to manage access to your ECR repository.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.