AWS roles to push docker image to Elastic Container Registry

TLDR; The list of required permissions is as follows:

These include BatchCheckLayerAvailability, GetAuthorizationToken, CompleteLayerUpload, InitiateLayerUpload, PutImage, and UploadLayerPart.

This is the role's detail in JSON format.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:CompleteLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:InitiateLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage"
            ],
            "Resource": "arn:aws:ecr:ap-northeast-1:830147152140:repository/artflag"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

Permissions for image pull.

The permissions for pulling images are more simple and are as follows.

  • BatchGetImage, GetAuthorizationToken, GetDownloadUrlForLayer.
  • Or in JSON format.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage"
            ],
            "Resource": "arn:aws:ecr:ap-northeast-1:830147152140:repository/artflag"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}