AWS ECR CF template fails with 'Invalid repository policy provided'
Solution 1
Having a read of the documentation around ECR Repository Policy, it turns out it's limited to users and root accounts for the Principal list. So you will probably need to swap out to listing all the users you want to give access to.
Amazon documentation has some samples has some examples of what you can do with it.
Solution 2
Just in case duke of muppets link breaks, here is an example. I had trouble today with the automatically created json. This seemed to fix it.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<id number of root user here>>:user/<<some iam user>>"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Solution 3
A suitable solution might be in using a RoleArn
instead of groups (what doesn't work) ...and/or IAM users
ECR:
Type: AWS::ECR::Repository
Properties:
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
-
Sid: AllowPushPull
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/${MyPreparedRole}
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:..."
The role "MyPreparedRole" can be provided within a group.
Comments
-
Neil H Watson almost 2 years
This CF template fails:
MyECSrepo: Type: "AWS::ECR::Repository" Properties: RepositoryName: !Ref RepoName RepositoryPolicyText: Version: "2012-10-17" Statement: - Sid: AllowAll Effect: Allow Principal: AWS: - arn:aws:iam::00000000000:group/admin Action: - "ecr:*"
The stack creation produces this error:
Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
What might the problem be?