Public repository policy examples - Amazon ECR Public
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Public repository policy examples

The following examples show policy statements that you use to control the permissions that users have to your public repositories.


All public repositories are visible on the Amazon ECR Public Gallery. Using a repository policy to deny access to view or pull from a public repository is not supported.


Amazon ECR requires that users have permission to make calls to the ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.

Example: Allow an IAM user within your account

The following repository policy allows users within your account to push images.

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPush", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account-id:user/push-pull-user-1", "arn:aws:iam::account-id:user/push-pull-user-2" ] }, "Action": [ "ecr-public:BatchCheckLayerAvailability", "ecr-public:PutImage", "ecr-public:InitiateLayerUpload", "ecr-public:UploadLayerPart", "ecr-public:CompleteLayerUpload" ] } ] }

Example: Allow another account

The following repository policy allows a specific account to push images.

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowCrossAccountPush", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:root" }, "Action": [ "ecr-public:BatchCheckLayerAvailability", "ecr-public:PutImage", "ecr-public:InitiateLayerUpload", "ecr-public:UploadLayerPart", "ecr-public:CompleteLayerUpload" ] } ] }