AWS roles to push docker image to Elastic Container Registry
TLDR; The list of required permissions is as follows:
These include BatchCheckLayerAvailability, GetAuthorizationToken, CompleteLayerUpload, InitiateLayerUpload, PutImage, and UploadLayerPart.
This is the role's detail in JSON format.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:CompleteLayerUpload",
"ecr:UploadLayerPart",
"ecr:InitiateLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage"
],
"Resource": "arn:aws:ecr:ap-northeast-1:830147152140:repository/artflag"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}Permissions for image pull.
The permissions for pulling images are more simple and are as follows.
- BatchGetImage, GetAuthorizationToken, GetDownloadUrlForLayer.
- Or in JSON format.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "arn:aws:ecr:ap-northeast-1:830147152140:repository/artflag"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}