Setting a repository policy statement in Amazon ECR Public
You can add an access policy statement to a public repository in the Amazon Web Services Management Console by following these steps. You can add multiple policy statements per public repository. For example policies, see Public repository policy examples in Amazon ECR Public.
Important
Amazon ECR requires that users have permission to make calls to the
ecr-public:GetAuthorizationToken
and sts:GetServiceBearerToken
API through an IAM policy before they
can authenticate to a registry and push any images to an Amazon ECR
repository.
To set a repository policy statement
Open the Amazon ECR console at https://console.amazonaws.cn/ecr/repositories
. -
From the navigation bar, choose the Amazon Web Services Region that contains the repository to set a policy statement on.
-
In the navigation pane, choose Repositories.
-
On the Repositories page, select the Public tab, and then choose the repository to set a policy statement on.
-
In the navigation pane, choose Permissions, Edit.
-
On the Edit permissions page, choose Add statement.
-
For Statement name, enter a name for the statement.
-
For Effect, choose whether the policy statement results in an allow or an explicit deny.
Note
All public repositories are visible on the Amazon ECR Public Gallery. Using a repository policy to deny access to view or pull from a public repository is not supported.
-
For Principal, choose the scope to apply the policy statement to. For more information, see Amazon JSON Policy Elements: Principal in the IAM User Guide.
-
You can apply the statement to all authenticated Amazon users by selecting the Everyone (*) check box.
-
For Service principal, specify the service principal name (for example,
ecs.amazonaws.com
) to apply the statement to a specific service. -
For Amazon Account IDs, specify an Amazon Web Services account number (for example,
111122223333
) to apply the statement to all users under a specific Amazon Web Services account. Multiple accounts can be specified by using a comma-separated list. -
For IAM Entities, select the roles or users under your Amazon Web Services account to apply the statement to.
Note
For more complicated repository policies that are not currently supported in the Amazon Web Services Management Console, you can apply the policy with the set-repository-policy Amazon CLI command.
-
-
For Actions, choose the scope of the Amazon ECR API operations that the policy statement applies to from the list of individual API operations.
-
When you're finished, choose Save to set the policy.
-
Repeat the previous step for each repository policy to add.