Amazon ECR
用户指南 (API Version 2015-09-21)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

Amazon ECR 存储库策略示例

以下示例显示了可用于控制用户对 Amazon ECR 存储库的权限的策略声明。

重要

Amazon ECR 用户需要先获得调用 ecr:GetAuthorizationToken 的权限,然后才能对注册表进行身份验证,并从任何 Amazon ECR 存储库推送或提取任何映像。Amazon ECR 提供一些托管策略来控制不同级别下的用户访问,有关更多信息,请参阅 Amazon ECR 托管策略

示例:在您的账户内允许 IAM 用户

以下存储库策略允许您的账户中的 IAM 用户推送和拉取映像。

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::aws_account_id:user/push-pull-user-1", "arn:aws:iam::aws_account_id:user/push-pull-user-2" ] }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload" ] } ] }

示例:允许其他账户

以下存储库策略允许特定账户推送映像。

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowCrossAccountPush", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::aws_account_id:root" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload" ] } ] }

以下存储库策略允许所有 AWS 账户拉取映像。

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPull", "Effect": "Allow", "Principal": "*", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }

以下存储库策略允许部分 IAM 用户拉取映像 (pull-user-1pull-user-2),并为其他用户提供完全的访问权限 (admin-user)。

注意

对于 AWS 管理控制台 中当前不支持的较复杂的存储库策略,您可以使用 set-repository-policy AWS CLI 命令应用此策略。

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::aws_account_id:user/pull-user-1", "arn:aws:iam::aws_account_id:user/pull-user-2" ] }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] }, { "Sid": "AllowAll", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::aws_account_id:user/admin-user" }, "Action": [ "ecr:*" ] } ] }

示例:拒绝所有

以下存储库策略拒绝所有用户拉取映像。

{ "Version": "2008-10-17", "Statement": [ { "Sid": "DenyPull", "Effect": "Deny", "Principal": "*", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }