Using tag-based access control in Amazon ECR public

The Amazon ECR Public CreateRepository API action enables you to specify tags when you create the repository. For more information, see Tag an Amazon ECR Public repository.

To enable users to tag repositories on creation, they must have permissions to use the action that creates the resource (for example, ecr-public:CreateRepository). If tags are specified in the resource-creating action, Amazon performs additional authorization on the ecr-public:CreateRepository action to verify if users have permissions to create tags.

You can used tag-based access control through IAM policies. The following are examples.

The following policy would only allow an IAM user to create or tag a public repository where the tag key is environment and tag value is dev.

The following policy would allow an IAM user access to all public repositories unless they were tagged as key=environment,value=prod.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Identity-based policy examples

Troubleshooting