Private registry policy examples for Amazon ECR
The following examples show registry permissions policy statements that you could use to control the permissions that users have to your Amazon ECR registry.
Note
In each example, if the ecr:CreateRepository
action is removed
from your registry permission statement, replication can still occur. However,
for successful replication, you need to create repositories with the same name
within your account.
Example: Allow the root user of a source account to replicate all repositories
The following registry permissions policy allows the root user of a source account to replicate all repositories.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::
source_account_id
:root
" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id
:repository/*
" ] } ] }
Example: Allow root users from multiple accounts
The following registry permissions policy has two statements. Each statement allows the root user of a source account to replicate all repositories.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount1", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::
source_account_1_id
:root
" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id
:repository/*
" ] }, { "Sid":"ReplicationAccessCrossAccount2", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::source_account_2_id
:root
" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id
:repository/*
" ] } ] }
Example: Allow the root user
of a source account to replicate all repositories with prefix prod-
.
The following registry permissions policy allows the root user of
a source account to replicate all repositories that start with prod-
.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::
source_account_id
:root
" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": [ "arn:aws:ecr:us-west-2:your_account_id
:repository/prod-*
" ] } ] }