AWS::ECR::RegistryPolicy - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


The AWS::ECR::RegistryPolicy resource creates or updates the permissions policy for a private registry.

A private registry policy is used to specify permissions for another Amazon Web Services account and is used when configuring cross-account replication. For more information, see Registry permissions in the Amazon Elastic Container Registry User Guide.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::ECR::RegistryPolicy", "Properties" : { "PolicyText" : Json } }


Type: AWS::ECR::RegistryPolicy Properties: PolicyText: Json



The JSON policy text for your registry.

Required: Yes

Type: Json

Update requires: No interruption

Return values


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The account ID of the private registry the policy is associated with.


Specify a registry policy for a private registry

The following example specifies a private registry policy in us-west-2 that grants permission for account 210987654321 to create repositories and replicate their contents to your private registry.


"TestRegistryPolicy": { "Type": "AWS::ECR::RegistryPolicy", "Properties": { "PolicyText": { "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::210987654321:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": "arn:aws:ecr:us-west-2:123456789012:repository/*" } ] } } }


Resources: TestRegistryPolicy: Type: 'AWS::ECR::RegistryPolicy' Properties: PolicyText: Version: 2012-10-17 Statement: - Sid: UpdatedRegistryPolicy Effect: Allow Principal: AWS: 'arn:aws:iam::210987654321:root' Action: - 'ecr:CreateRepository' - 'ecr:ReplicateImage' Resource: 'arn:aws:ecr:us-west-2:123456789012:repository/*'