stackoom
  简体   繁体   中英

Allow pulling from ECR ecr.dkr VPC Endpoint, but not pushing?

 原文  2022-07-07 21:05:12       amazon-web-services/ docker/ amazon-ecr/ vpc-endpoint

Question

It is possible to allow pulling from but not pushing to the Docker API VPC Endpoint ( com.amazonaws.<region>.ecr.dkr ) in its attached policy?

I can't find a reference for any supported actions other than "*" , is there a way to specify pull only? Or something via a condition?

2 answers

solution1
 1  2022-07-07 21:11:01

Yes, you can achieve this with a VPC endpoint policy.

Here's an example from the documentation . This policy enables a specific IAM role to pull images from Amazon ECR:

{
    "Statement": [{
        "Sid": "AllowPull",
        "Principal": {
            "AWS": "arn:aws:iam::1234567890:role/role_name"
        },
        "Action": [
            "ecr:BatchGetImage",
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetAuthorizationToken"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }]
}

solution2
 0  2022-12-21 02:23:51

In AWS Console, add security groups that your instances (maybe all possible security groups) are using to the VPC endpoints.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ECR Policy Mapped to VPC Endpoint AWS Fargate private subnet, pulling from ECR Pulling image from AWS ECR repository without AWS credentials Pushing an image to ECR, getting "Retrying in ... seconds" Error while pulling docker image from ECR to EC2 using github actions Error pushing docker build to ECR on pip install of mysqlclient ##[error]denied: Not Authorized when pushing docker image to AWS ECR How to pull docker image from ECR in Githubactions Uploading a Docker Image to ECR from S3 ECS service cannot pull from ECR
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM