It is possible to allow pulling from but not pushing to the Docker API VPC Endpoint (com.amazonaws.<region>.ecr.dkr
) in its attached policy?
I can’t find a reference for any supported actions other than "*"
, is there a way to specify pull only? Or something via a condition?
2
Answers
Yes, you can achieve this with a VPC endpoint policy.
Here’s an example from the documentation. This policy enables a specific IAM role to pull images from Amazon ECR:
In AWS Console, add security groups that your instances (maybe all possible security groups) are using to the VPC endpoints.