Amazon managed policies for Amazon ECR Public
Amazon ECR Public provides several managed policies that you can attach to users or Amazon EC2 instances. These policies allow for differing levels of control over Amazon ECR resources and API operations. You can apply these policies directly or use them as starting points for creating your own policies. For more information about each API operation that's mentioned in these policies, see Actions in the Amazon ECR Public API Reference.
Topics
AmazonElasticContainerRegistryPublicFullAccess
You can attach the AmazonElasticContainerRegistryPublicFullAccess policy
to your IAM identities.
This managed policy is a starting point for providing an IAM user or role with full administrator access to manage their use of Amazon ECR Public.
Permissions details
This policy includes the following permissions:
-
ecr-public– Provides IAM principals full access to all Amazon ECR APIs. -
sts– Allows IAM principals to acquire a Amazon Security Token Service bearer token for an Amazon root user, IAM role, or an IAM user.
The AmazonElasticContainerRegistryPublicFullAccess policy is as
follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr-public:*", "sts:GetServiceBearerToken" ], "Resource": "*" } ] }
AmazonElasticContainerRegistryPublicPowerUser
You can attach the AmazonEC2ContainerRegistryPowerUser policy to your
IAM identities.
This policy grants administratice permissions that allow power user access to Amazon ECR Public. This provides write access to public repositories, but it doesn't allow users to delete public repositories or change the policy documents that are applied to them.
Permissions details
This policy includes the following permissions:
-
ecr-public– Allows IAM principals to read and write to respositores and read lifecycle policies. IAM principals aren't granted permission to delete repositories or change the lifecycle policies that are applied to them. -
sts– Allows IAM principals to acquire a Amazon Security Token Service bearer token for an Amazon root user, IAM role, or an IAM user.
The AmazonElasticContainerRegistryPublicPowerUser policy is as
follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr-public:GetAuthorizationToken", "sts:GetServiceBearerToken", "ecr-public:BatchCheckLayerAvailability", "ecr-public:GetRepositoryPolicy", "ecr-public:DescribeRepositories", "ecr-public:DescribeRegistries", "ecr-public:DescribeImages", "ecr-public:DescribeImageTags", "ecr-public:GetRepositoryCatalogData", "ecr-public:GetRegistryCatalogData", "ecr-public:InitiateLayerUpload", "ecr-public:UploadLayerPart", "ecr-public:CompleteLayerUpload", "ecr-public:PutImage" ], "Resource": "*" } ] }
AmazonElasticContainerRegistryPublicReadOnly
You can attach the AmazonElasticContainerRegistryPublicReadOnly policy to
your IAM identities.
This policy grants read-only permissions to Amazon ECR Public. These permissions include the ability to describe public registries, to list and describe public repositories, to describe images within a public repository, and to pull images from Amazon ECR Public with the Docker CLI.
Permissions details
This policy includes the following permissions:
-
ecr– Allows IAM principals to read repositories and their respective lifecycle policies. -
sts– Allows IAM principals to acquire a Amazon Security Token Service bearer token for an Amazon root user, IAM role, or an IAM user.
The AmazonElasticContainerRegistryPublicReadOnly policy is as
follows.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ecr-public:GetAuthorizationToken", "sts:GetServiceBearerToken", "ecr-public:BatchCheckLayerAvailability", "ecr-public:GetRepositoryPolicy", "ecr-public:DescribeRepositories", "ecr-public:DescribeRegistries", "ecr-public:DescribeImages", "ecr-public:DescribeImageTags", "ecr-public:GetRepositoryCatalogData", "ecr-public:GetRegistryCatalogData" ], "Resource": "*" }] }
Amazon ECR Public updates to Amazon managed policies
View details about updates to Amazon managed policies for Amazon ECR Public since the time that this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon ECR Public Document history page.
| Change | Description | Date |
|---|---|---|
|
Amazon ECR started tracking changes |
Amazon ECR started tracking changes for Amazon managed policies. |
June 24, 2021 |
|
AmazonElasticContainerRegistryPublicReadOnly – New policy |
Amazon ECR added a new policy that grants read-only permissions to Amazon ECR Public. These permissions include the ability to describe public registries, to list and describe public repositories, to describe images within a public repository and to pull images from Amazon ECR Public with the Docker CLI. |
December 1, 2020 |
|
AmazonElasticContainerRegistryPublicPowerUser – New policy |
Amazon ECR added a new policy that grants administrative permissions to Amazon ECR Public that allow write access to public repositories. However, these permissions don't allow users to delete public repositories or change the policy documents that are applied to them. |
December 1, 2020 |
|
AmazonElasticContainerRegistryPublicFullAccess – New policy |
Amazon ECR added a new policy that grants full access to Amazon ECR Public. |
December 1, 2020 |