AWS::ECR::RegistryPolicy - Amazon CloudFormation
SyntaxPropertiesReturn valuesExamples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::ECR::RegistryPolicy

The AWS::ECR::RegistryPolicy resource creates or updates the permissions policy for a private registry.

A private registry policy is used to specify permissions for another Amazon Web Services account and is used when configuring cross-account replication. For more information, see Registry permissions in the Amazon Elastic Container Registry User Guide.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::ECR::RegistryPolicy",
  "Properties" : {
      "PolicyText" : Json
    }
}

YAML

Type: AWS::ECR::RegistryPolicy
Properties:
  PolicyText: Json

Properties

PolicyText

The JSON policy text for your registry.

Required: Yes

Type: Json

Update requires: No interruption

Return values

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

RegistryId

The account ID of the private registry the policy is associated with.

Examples

Specify a registry policy for a private registry

The following example specifies a private registry policy in us-west-2 that grants permission for account 210987654321 to create repositories and replicate their contents to your private registry.

JSON

"TestRegistryPolicy": {
   "Type": "AWS::ECR::RegistryPolicy",
   "Properties": {
      "PolicyText": {
         "Version":"2012-10-17",
         "Statement":[
            {
               "Sid":"ReplicationAccessCrossAccount",
               "Effect":"Allow",
               "Principal":{
                  "AWS":"arn:aws:iam::210987654321:root"
               },
               "Action":[
                  "ecr:CreateRepository",
                  "ecr:ReplicateImage"
               ],
               "Resource": "arn:aws:ecr:us-west-2:123456789012:repository/*"
             }
          ]
       }
    }
}

YAML

Resources:
  TestRegistryPolicy:
    Type: 'AWS::ECR::RegistryPolicy'
    Properties:
      PolicyText:
        Version: 2012-10-17
        Statement:
          - Sid: UpdatedRegistryPolicy
            Effect: Allow
            Principal:
              AWS: 'arn:aws:iam::210987654321:root'
            Action:
              - 'ecr:CreateRepository'
              - 'ecr:ReplicateImage'
            Resource: 'arn:aws:ecr:us-west-2:123456789012:repository/*'