Allow pulling from ECR ecr.dkr VPC Endpoint, but not pushing? - Docker - PhpOut

OJFord
July 7, 2022
251 views
0 votes
2 Answers

It is possible to allow pulling from but not pushing to the Docker API VPC Endpoint (com.amazonaws.<region>.ecr.dkr) in its attached policy?

I can’t find a reference for any supported actions other than "*", is there a way to specify pull only? Or something via a condition?

Tags: amazon-ecr amazon-web-services docker vpc-endpoint

Answers

- Paolo
- July 7, 2022 at 11:11 pm
- 0 votes
0
Yes, you can achieve this with a VPC endpoint policy.

Here’s an example from the documentation. This policy enables a specific IAM role to pull images from Amazon ECR:
```
{
    "Statement": [{
        "Sid": "AllowPull",
        "Principal": {
            "AWS": "arn:aws:iam::1234567890:role/role_name"
        },
        "Action": [
            "ecr:BatchGetImage",
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetAuthorizationToken"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }]
}
```
Login or Signup to reply.

- BumsikKim
- December 21, 2022 at 3:23 am
- 0 votes
0
In AWS Console, add security groups that your instances (maybe all possible security groups) are using to the VPC endpoints.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.