-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new values for ECRAccessPolicy that include ecr:BatchImportUpstreamImage
#1270
base: main
Are you sure you want to change the base?
Add new values for ECRAccessPolicy that include ecr:BatchImportUpstreamImage
#1270
Conversation
Statement: | ||
- Effect: Allow | ||
Action: | ||
- ecr:BatchImportUpstreamImage |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you may also want ecr:CreateRepository
here. That permission is required for the first pull of a new image that's never been cached before. After that, ecr:BatchImportUpstreamImage
is enough to pull new tags of the image into the repository.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh right, the docs state it as
Grants permission to create a repository in a private registry.
but the "repository" is just the part of the image w/o the tag.
This is needed for create the repository for the image in the pull-through cache. While there is a risk that users could create repositories in non-pull-through caches, they won't necessarily be able to upload any layers to that repository.
+ is not a valid character in a mapping name for CloudFormation, even though it is for YAML.
This turned into more of a saga than I thought. I'm going put it back to draft and rework it a little. |
This IAM permission is necessary to use an ECR pull through cache. Technically, it is not
readonly
, as images will be written to the pull though cache on cache misses. Surprisingly, it is not inpoweruser
either. But we think customers will want to give Stacks the ability to use pull through caches without giving full permissions.See https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html for more details.