Push image to ECR works for private repositories only

Question

I'm trying to push an image to a public repository in ECR. To be able to do so, I created a policy that gives push permissions and attached this policy to my user. The policy in JSON format is the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": "arn:aws:ecr:us-east-1:*:repository/my-app"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": "arn:aws:ecr:us-east-1:*:repository/my-app-public"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
}

The push works fine for the private repository but gives the error denied: Not Authorized when I try to push the image to the public repo. How can I push an image to an ECR public repo?

Answer 1

ECR Public is its own service (with its own ecr-public:* actions). To push images to ECR Public, a set of ecr-public actions is needed in the statement.

The first example here should get you on the right track: https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policy-examples.html