What are the minimal AWS IAM permissions needed to proxy images from Elastic Container Registry (ECR)


#1

I’d like Replicated to proxy my private images from ECR as described here https://help.replicated.com/docs/kubernetes/getting-started/docker-registries/#using-external-registries .

I’ve gotten this working using my Access Key ID and Secret Access Key, but I’d like to provision an IAM user that has only minimal access. Ideally it should be able to pull images from ECR, but shouldn’t have any other AWS access. What sort of policy definition should I be using in AWS when generating ECR credentials?


#2

If exposing all images to Replicated is an acceptable solution, the Amazon-provided AmazonEC2ContainerRegistryReadOnly policy will work:

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"ecr:GetAuthorizationToken",
			"ecr:BatchCheckLayerAvailability",
			"ecr:GetDownloadUrlForLayer",
			"ecr:GetRepositoryPolicy",
			"ecr:DescribeRepositories",
			"ecr:ListImages",
			"ecr:DescribeImages",
			"ecr:BatchGetImage"
		],
		"Resource": "*"
	}]
}

If you wish to limit Replicated to only certain images, this policy should be used instead:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
		    "ecr:BatchCheckLayerAvailability",
		    "ecr:GetDownloadUrlForLayer",
		    "ecr:GetRepositoryPolicy",
		    "ecr:DescribeRepositories",
		    "ecr:ListImages",
		    "ecr:DescribeImages",
		    "ecr:BatchGetImage"
        ],
        "Resource": [
            "arn:aws:ecr:us-east-1:<account-id>:repository/<repo1>",
            "arn:aws:ecr:us-east-1:<account-id>:repository/<repo2>"
        ]
    }]
}{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
    ]
}