0

It is possible to allow pulling from but not pushing to the Docker API VPC Endpoint (com.amazonaws.<region>.ecr.dkr) in its attached policy?

I can't find a reference for any supported actions other than "*", is there a way to specify pull only? Or something via a condition?

OJFord
  • 10,522
  • 8
  • 64
  • 98

2 Answers2

1

Yes, you can achieve this with a VPC endpoint policy.

Here's an example from the documentation. This policy enables a specific IAM role to pull images from Amazon ECR:

{
    "Statement": [{
        "Sid": "AllowPull",
        "Principal": {
            "AWS": "arn:aws:iam::1234567890:role/role_name"
        },
        "Action": [
            "ecr:BatchGetImage",
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetAuthorizationToken"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }]
}
Paolo
  • 21,270
  • 6
  • 38
  • 69
  • That is using the AWS API, `com.amazonaws..ecr.api` – OJFord Jul 07 '22 at 21:35
  • @OJFord why do you think that? – Paolo Jul 07 '22 at 21:50
  • @OJFord have you tried creating an ecr.drk endpoint and attaching this policy? – Paolo Jul 07 '22 at 22:08
  • Well, for one thing those actions _are_ AWS APIs? I tried something similar (more allowed actions) before I understood the distinction between ecr.api/ecr.dkr and just applied the same to both. I can only get roughly the restriction I want by conditioning on the `aws:PrincipalArn` and `aws:ResourceTag`. – OJFord Jul 07 '22 at 22:35
  • As an aside: I found that `Principal: AWS: ` doesn't work in VPCE policies btw; I've had to use the condition `ArnEquals` on `aws:PrincipalArn` as above instead. – OJFord Jul 07 '22 at 22:37
  • @OJFord for `ecr.drk` the documentation I linked states: *This endpoint is used for the Docker Registry APIs. Docker client commands such as push and pull use this endpoint.* – Paolo Jul 07 '22 at 22:47
  • @OJFord I created an `ecr.drk` endpoint and then modified it to have this policy and it worked for me. – Paolo Jul 07 '22 at 22:50
0

In AWS Console, add security groups that your instances (maybe all possible security groups) are using to the VPC endpoints.

Bumsik Kim
  • 5,853
  • 3
  • 23
  • 39