1. Answers
  2. Create an AWS ECR Repository Policy

How do I build an AWS ECR RepositoryPolicy?

To manage permissions for an Amazon Elastic Container Registry (ECR) repository, you often need to define a repository policy. This policy specifies who can perform actions on the repository. Here, we’ll walk through creating an ECR repository and attaching a repository policy to it.

The main components we’ll define:

  1. An ECR repository to store Docker images.
  2. A repository policy to control access to the ECR repository.

Below is the code to achieve this:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an AWS ECR repository
const myRepo = new aws.ecr.Repository("my_repo", {name: "my-repo"});
// Define the ECR repository policy
const ecrPolicy = aws.iam.getPolicyDocumentOutput({
    statements: [{
        actions: [
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
        ],
        resources: [myRepo.arn],
        principals: [{
            identifiers: ["*"],
            type: "AWS",
        }],
        effect: "Allow",
    }],
});
// Attach the repository policy to the ECR repository
const myRepoPolicy = new aws.ecr.RepositoryPolicy("my_repo_policy", {
    repository: myRepo.name,
    policy: ecrPolicy.apply(ecrPolicy => ecrPolicy.json),
});
export const repositoryUrl = myRepo.repositoryUrl;

In this example:

  • We define an ECR repository named my-repo.
  • We create an IAM policy document specifying allowed actions such as GetDownloadUrlForLayer, BatchGetImage, and BatchCheckLayerAvailability for all principals.
  • This policy is then attached to the ECR repository using the aws_ecr_repository_policy resource.
  • Finally, we output the repository’s URI using a stack export.

This creates a secure and controlled way to manage access to your ECR repository.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up