Private registry policy examples for Amazon ECR - Amazon ECR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Private registry policy examples for Amazon ECR

The following examples show registry permissions policy statements that you could use to control the permissions that users have to your Amazon ECR registry.

Note

In each example, if the ecr:CreateRepository action is removed from your registry permission statement, replication can still occur. However, for successful replication, you need to create repositories with the same name within your account.

Example: Allow the root user of a source account to replicate all repositories

The following registry permissions policy allows the root user of a source account to replicate all repositories.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] } ] }

Example: Allow root users from multiple accounts

The following registry permissions policy has two statements. Each statement allows the root user of a source account to replicate all repositories.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount1", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_1_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] }, { "Sid":"ReplicationAccessCrossAccount2", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_2_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/*" ] } ] }

Example: Allow the root user of a source account to replicate all repositories with prefix prod-.

The following registry permissions policy allows the root user of a source account to replicate all repositories that start with prod-.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_id:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id:repository/prod-*" ] } ] }