本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
私有注册表策略示例
以下示例显示了注册表权限策略语句,您可以使用这些语句来控制用户对您的Amazon ECR注册表具有的权限。
示例:允许源账户的根用户复制所有存储库
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] } ] }
示例:允许多个账户
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] }, { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] } ] }
示例:允许源账户的根用户复制以 开头的所有存储库 prod-
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/prod-*" ] } ] }
示例:允许源账户的根用户复制以 开头的所有存储库 prod-
如果从注册表权限语句中删除了 ecr:CreateRepository 操作,则可以复制存储库。但是,要成功复制,您需要在您的账户中创建具有相同名称的存储库。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] } ] }