Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – IAM role to pull image from a private AWS ECR registry based on image tag

I am trying to put together an IAM role to allow pulling an image from ECR. I want to control access to the image using a specific tag (Image tag not AWS resource tag). So far, it seems that AWS only allows attribute-based access control to the ECR repository itself.

Moving the images of interest to a new repo and giving access to that seems like the only option, but I am really trying to avoid that. Any ideas?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "arn:aws:ecr:XXXX:XXXX:repository/XXXX",
            "Condition": {
                "StringEquals": {
                    ...
                }
            }
        }
    ]
}
Tags:

2

Answers


  1. 0

    According to the AWS documentation, you cannot use an image tag as a condition in an IAM policy.

    Login or Signup to reply.
  2. 0

    AWS does not currently support fine-grained permissions based on image tags within Amazon Elastic Container Registry (ECR). Access control for ECR operates at the repository level, and while you can use IAM policies to control actions on repositories, there is no built-in mechanism to apply conditions to specific image tags.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search