It is possible to allow pulling from but not pushing to the Docker API VPC Endpoint ( com.amazonaws.<region>.ecr.dkr
) in its attached policy?
I can't find a reference for any supported actions other than "*"
, is there a way to specify pull only? Or something via a condition?
Yes, you can achieve this with a VPC endpoint policy.
Here's an example from the documentation . This policy enables a specific IAM role to pull images from Amazon ECR:
{
"Statement": [{
"Sid": "AllowPull",
"Principal": {
"AWS": "arn:aws:iam::1234567890:role/role_name"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Effect": "Allow",
"Resource": "*"
}]
}
In AWS Console, add security groups that your instances (maybe all possible security groups) are using to the VPC endpoints.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.