skip to Main Content

It is possible to allow pulling from but not pushing to the Docker API VPC Endpoint (com.amazonaws.<region>.ecr.dkr) in its attached policy?

I can’t find a reference for any supported actions other than "*", is there a way to specify pull only? Or something via a condition?

2

Answers


  1. Yes, you can achieve this with a VPC endpoint policy.

    Here’s an example from the documentation. This policy enables a specific IAM role to pull images from Amazon ECR:

    {
        "Statement": [{
            "Sid": "AllowPull",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:role/role_name"
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }]
    }
    
    Login or Signup to reply.
  2. In AWS Console, add security groups that your instances (maybe all possible security groups) are using to the VPC endpoints.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search