Setting a private registry permission statement - Amazon ECR
Private registry permissions for replicationPrivate registry permissions for pull through cache
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting a private registry permission statement

You can add or update the permissions policy for your registry by using the following steps. You can add multiple policy statements per registry. For example policies, see Private registry policy examples.

Private registry permissions for replication

The cross account policy type is used to grant permissions to an Amazon principal, allowing the replication of the repositories from a source registry to your registry. By default, you have permission to configure cross-Region replication within your own registry. You only need to configure the registry policy if you're granting another account permission to replicate contents to your registry.

A registry policy must grant permission for the ecr:ReplicateImage API action. This API is an internal Amazon ECR API that can replicate images between Regions or accounts. You can also grant permission for the ecr:CreateRepository permission, which allows Amazon ECR to create repositories in your registry if they don't exist already. If the ecr:CreateRepository permission isn't provided, a repository with the same name as the source repository must be created manually in your registry. If neither is done, replication fails. Any failed CreateRepository or ReplicateImage API actions show up in CloudTrail.

To configure a replication permissions policy for a private registry (Amazon Web Services Management Console)

  1. Open the Amazon ECR console at https://console.amazonaws.cn/ecr/.

  2. From the navigation bar, choose the Region to configure your registry policy in.

  3. In the navigation pane, choose Private registry, Registry permissions.

  4. On the Registry permissions page, choose Generate statement.

  5. Complete the following steps to define your policy statement using the policy generator.

    1. For Policy type, choose Cross account policy.

    2. For Statement ID, enter a unique statement ID. This field is used as the Sid on the registry policy.

    3. For Accounts, enter the account IDs for each account you want to grant permissions to. When specifying multiple account IDs, separate them with a comma.

  6. Expand the Preview policy statement section to review the registry permissions policy statement.

  7. After the policy statement is confirmed, choose Add to policy to save the policy to your registry.

To configure a permissions policy for a private registry (Amazon CLI)

  1. Create a file named registry_policy.json and populate it with a registry policy.

    {
    "Version":"2012-10-17",
    "Statement":[
        {
            "Sid":"ReplicationAccessCrossAccount",
            "Effect":"Allow",
            "Principal":{
                "AWS":"arn:aws:iam::source_account_id:root"
            },
            "Action":[
                "ecr:CreateRepository",
                "ecr:ReplicateImage"
            ],
            "Resource": [
                "arn:aws:ecr:us-west-2:your_account_id:repository/*"
            ]
        }
    ]
}

  2. Create the registry policy using the policy file.

    aws ecr put-registry-policy \
      --policy-text file://registry_policy.json \
      --region us-west-2

  3. Retrieve the policy for your registry to confirm.

    aws ecr get-registry-policy \
      --region us-west-2

Private registry permissions for pull through cache

Amazon ECR private registry permissions may be used to scope the permissions of individual IAM entities to use pull through cache. If an IAM entity has more permissions granted by an IAM policy than the registry permissions policy is granting, the IAM policy takes precedence.

To create a private registry permissions policy (Amazon Web Services Management Console)

  1. Open the Amazon ECR console at https://console.amazonaws.cn/ecr/.

  2. From the navigation bar, choose the Region to configure your private registry permissions statement in.

  3. In the navigation pane, choose Private registry, Registry permissions.

  4. On the Registry permissions page, choose Generate statement.

  5. For each pull through cache permissions policy statement you want to create, do the following.

    1. For Policy type, choose Pull through cache policy.

    2. For Statement id, provide a name for the pull through cache statement policy.

    3. For IAM entities, specify the users, groups, or roles to include in the policy.

    4. For Repository namespace, select the pull through cache rule to associate the policy with.

    5. For Repository names, specify the repository base name to apply the rule for. For example, if you want to specify the Amazon Linux repository on Amazon ECR Public, the repository name would be amazonlinux.