In addition to the Amazon ECR API permissions needed to authenticate to a private registry and to push and pull images, the following additional permissions are needed to use pull through cache rules effectively.
ecr:CreatePullThroughCacheRule â Grants permission to create a pull through cache rule. This permission must be granted via an identity-based IAM policy.
ecr:BatchImportUpstreamImage â Grants permission to retrieve the external image and import it to your private registry. This permission can be granted by using the private registry permissions policy, an identity-based IAM policy, or by using the resource-based repository permissions policy. For more information about using repository permissions, see Private repository policies in Amazon ECR.
ecr:CreateRepository â Grants permission to create a repository in a private registry. This permission is required if the repository storing the cached images doesn't already exist. This permission can be granted by either an identity-based IAM policy or the private registry permissions policy.
Amazon ECR private registry permissions may be used to scope the permissions of individual IAM entities to use pull through cache. If an IAM entity has more permissions granted by an IAM policy than the registry permissions policy is granting, the IAM policy takes precedence. For example, if user has ecr:* permissions granted, no additional permissions are needed at the registry level.
Open the Amazon ECR console at https://console.aws.amazon.com/ecr/.
From the navigation bar, choose the Region to configure your private registry permissions statement in.
In the navigation pane, choose Private registry, Registry permissions.
On the Registry permissions page, choose Generate statement.
For each pull through cache permissions policy statement you want to create, do the following.
For Policy type, choose Pull through cache policy.
For Statement id, provide a name for the pull through cache statement policy.
For IAM entities, specify the users, groups, or roles to include in the policy.
For Repository namespace, select the pull through cache rule to associate the policy with.
For Repository names, specify the repository base name to apply the rule for. For example, if you want to specify the Amazon Linux repository on Amazon ECR Public, the repository name would be amazonlinux.
Use the following AWS CLI command to specify the private registry permissions using the AWS CLI.
Create a local file named ptc-registry-policy.json with the contents of your registry policy. The following example grants the ecr-pull-through-cache-user permission to create a repository and pull an image from Amazon ECR Public, which is the upstream source associated with the previously created pull through cache rule.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PullThroughCacheFromReadOnlyRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/ecr-pull-through-cache-user"
},
"Action": [
"ecr:CreateRepository",
"ecr:BatchImportUpstreamImage"
],
"Resource": "arn:aws:ecr:us-east-1:111122223333:repository/ecr-public/*"
}
]
}
The ecr-CreateRepository permission is only required if the repository storing the cached images doesn't already exist. For example, if the repository creation action and the image pull actions are being done by separate IAM principals such as an administrator and a developer.
Use the put-registry-policy command to set the registry policy.
aws ecr put-registry-policy \
--policy-text file://ptc-registry.policy.jsonOnce you are ready to start using pull through cache rules, the following are the next steps.
Sync an upstream registry
Setting up permissions for cross-account ECR to ECR PTC
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4