3
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:user/root"
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": [
                "xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
            ]
        }
    ]
}

Command I try to use is:

aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json

If I do ls in my linux machine I can see this ecr-policy.json in same folder where I run this command.

I want to grant access to myself.

I am always getting error:

An error occurred (InvalidParameterException) when calling the SetRepositoryPolicy operation: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'

I checked my AWS ARN and it ends with root.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
dotnetavalanche
  • 804
  • 2
  • 12
  • 25

3 Answers3

3

i want to grant access to myself.

You don't need a resource section because this statement will be attached to a specific repository. Try add the following statement at Console > ECR > Repositories > [Select a repo on the Images table] > Permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account #>:user/<your IAM user name>",
                    "arn:aws:iam::<account #>:root"
                ]
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ]
        }
    ]
}

NOTE: Replace <account #> with your AWS account ID.

gohm'c
  • 13,492
  • 1
  • 9
  • 16
  • 1
    API error Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid registry policy provided' – dotnetavalanche Mar 22 '22 at 02:38
  • Checkout the updated answer. Do you get the error when you try on the console `Console > ECR > Repositories > Permissions`? – gohm'c Mar 22 '22 at 03:01
1

Remove Resource in Policy json file

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:user/root"
            },
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchDeleteImage",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:ListImages",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ]
        }
    ]
}

Or you can set on AWS Console

  1. Go to Amazon ECR > Repositories
  2. Create Repository
  3. Click what your create Repository
  4. and go to permissions tab
  5. Edit permissions -> Input the above json file

enter image description here

nari120
  • 78
  • 1
  • 8
1

try resource in a format:

arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}

https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html

syma
  • 26
  • 1