Using Aws Kms With Ecrpublic
Introduction
This Pulumi program demonstrates how to use AWS KMS (Key Management Service) with Amazon ECR Public (Elastic Container Registry Public). AWS KMS is a managed service that makes it easy to create and control the encryption keys used to encrypt your data. Amazon ECR Public is a fully managed Docker container registry that makes it easy for developers to share and deploy container images.
Step-by-Step Explanation
Step 1: Create an AWS KMS Key
First, we need to create an AWS KMS key that will be used to encrypt the ECR repository.
Step 2: Create an ECR Public Repository
Next, we create an ECR Public repository and configure it to use the KMS key for encryption.
Step 3: Grant Permissions
Finally, we grant the necessary permissions to the ECR Public repository to use the KMS key for encryption.
Conclusion
In this Pulumi program, we demonstrated how to create and configure an AWS KMS key and an Amazon ECR Public repository with encryption enabled using the KMS key. This ensures that your container images are securely stored and managed.
Full Code Example
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Step 1: Create an AWS KMS Key
const kmsKey = new aws.kms.Key("myKmsKey", {
description: "KMS key for ECR encryption",
deletionWindowInDays: 7,
enableKeyRotation: true,
});
// Step 2: Create an ECR Public Repository
const ecrRepository = new aws.ecrpublic.Repository("myEcrRepository", {
repositoryName: "my-ecr-repo",
});
// Step 3: Grant Permissions
const accountId = aws.getCallerIdentity().then(identity => identity.accountId);
const kmsGrant = new aws.kms.Grant("myKmsGrant", {
keyId: kmsKey.keyId,
granteePrincipal: pulumi.interpolate\`arn:aws:iam::\${accountId}:root\`,
operations: ["Encrypt", "Decrypt", "GenerateDataKey", "DescribeKey"],
constraints: [{
encryptionContextEquals: {
"aws:sourceArn": ecrRepository.arn,
},
}],
});
export const kmsKeyId = kmsKey.id;
export const ecrRepositoryUrl = ecrRepository.repositoryUri;
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.