Restrict access to namespace in ECR

Question

I want to restrict an EC2 instance to EC2 container registry (ECR) repositories with the same namespace.

The IAM instance role should only can pull all repositories under AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/test-namespace/.... Nothing else.

I've tried the following IAM policy on an EC2 instance role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1490955256000",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": [
                "arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/test-namespace/*"
            ]
        }
    ]
}

But I was able to docker pull images from all repositories on that instance. E.g. AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/test-repo:latest

I don't see what I did wrong. It can't be the resource-level permissions. All of the above actions support them, except ecr:GetAuthorizationToken.

As we have many repositories, I don't want to do set resource permissions on each repository.

score 2 · Answer 1 · answered Dec 10 '19 at 23:54

ecr:GetAuthorizationToken does not support resource-level permissions. You'll need to grant "Resource": "*" to the ecr:GetAuthorizationToken action. The other actions can be restricted to the specific resources you wish to access.

In a policy, that would look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1490955256000",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1490955256001",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": [
                "arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/test-namespace/*"
            ]
        }
    ]
}

Can you please post where you saw this and explain why it's true? — shmuels, Nov 23 '21 at 17:08

Restrict access to namespace in ECR

1 Answers1