# Amazon ECR public repositories
Amazon Elastic Container Registry provides API operations to create, monitor, and delete public image repositories and set permissions that control who can push images to them. You can perform the same actions in the **Repositories** section of the Amazon ECR console. Amazon ECR integrates with the Docker CLI to push images from your development environments to your public repositories.
A public repository is open to pull images from and is visible on the Amazon ECR Public Gallery. When you create a public repository, you specify catalog data that helps users find and use your images. For more information about the Amazon ECR Public Gallery, see [Amazon ECR Public Gallery](public-gallery.md).
**Topics**
+ [Public repository concepts](#public-repository-concepts)
+ [Creating an Amazon ECR public repository to store images](public-repository-create.md)
+ [Editing an Amazon ECR public repository](public-repository-edit.md)
+ [Specifying the repository catalog data in Amazon ECR public](public-repository-catalog-data.md)
+ [Viewing the contents and details of a repository in Amazon ECR public](public-repository-info.md)
+ [Deleting a public repository policy statement Amazon ECR public](public-repository-delete.md)
+ [Public repository policies in Amazon ECR Public](public-repository-policies.md)
+ [Tag an Amazon ECR Public repository](ecr-public-using-tags.md)
## Public repository concepts
+ The public repositories that you create with images appear publicly on the Amazon ECR Public Gallery. Visit the Amazon ECR Public Gallery at [https://gallery.ecr.aws](https://gallery.ecr.aws). For more information, see [Amazon ECR Public Gallery](public-gallery.md).
+ By default, your account has read and write access to the repositories in your public registry. However, users require permissions to make calls to the Amazon ECR APIs and to push images to your repositories.
+ Public repositories can be controlled with both IAM user access policies and repository policies. For more information, see [Public repository policies in Amazon ECR Public](public-repository-policies.md).
# Creating an Amazon ECR public repository to store images
Before you can push your Docker or Open Container Initiative (OCI) images to Amazon ECR, you must create a repository to store them in. Public repositories are visible on the Amazon ECR Public Gallery and are open to publicly pull images from. If you want to create a private repository instead, see [Repositories](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html) in the *Amazon Elastic Container Registry User Guide*.
**To create a public repository (AWS Management Console)**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/](https://console.aws.amazon.com/ecr/).
1. From the navigation bar, choose the AWS Region to create your public repository in.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, choose **Create repository**.
1. For **Visibility settings**, choose **Public**.
1. For **Repository name**, enter a unique name for your public repository. The repository name can be specified on its own (for example, `nginx-web-app`) or prepended with a namespace to group the repository into a category (for example, `project-a/nginx-web-app`).
**Note**
The repository name may container a maximum of `205` characters. The name must start with a letter and can only contain lowercase letters, numbers, hyphens, underscores, periods and forward slashes. Using a double hyphen, double underscore, or double forward slash isn't supported.
1. For **Repository logo**, choose **Upload file** and select a local image file to use as the repository logo. Amazon ECR uploads your logo as a base64-encoded payload to a publicly available Amazon S3 bucket.
**Note**
The repository logo is only publicly visible in the Amazon ECR Public Gallery for verified accounts. A verified account is an account that is AWS Marketplace certified.
1. For **Short description** enter a description of the repository. The description field is displayed on the Amazon ECR Public Gallery in the search results and on the repository detail page.
1. For **Content types** select the operating system and system architecture tags to associate with the repository. These tags are publicly displayed in the Amazon ECR Public Gallery as badges on the repository and are used as search filters.
1. For **About**, enter a detailed description for the repository. This text should be in Github Flavored Markdown format. For format examples, see [Specifying the repository catalog data in Amazon ECR public](public-repository-catalog-data.md). This field is publicly visible on the Amazon ECR Public Gallery on the repository detail page.
1. For **Usage**, enter details about how to use the images in the repository. This text should be in Github Flavored Markdown format. For format examples, see [Specifying the repository catalog data in Amazon ECR public](public-repository-catalog-data.md). This field is publicly visible on the Amazon ECR Public Gallery on the repository detail page.
1. Choose **Create repository**.
## Next steps
To view the steps to push an image to your repository, select the repository and choose **View push commands**. For more information about pushing an image to your repository, see [Pushing an image to a public repository in Amazon ECR public](docker-push-ecr-image.md).
# Editing an Amazon ECR public repository
An existing public repository can be edited to change the catalog data details that are visible in the Amazon ECR Public Gallery.
**To edit a repository**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the Region that the repository to edit is in.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, select the **Public** tab, and then select the repository to edit and choose **Edit**.
1. For **Repository logo**, if your repository doesn't have a logo, then choose **Upload file** and select a local image file to use as the repository logo. If your repository has a logo currently, choose **Replace file** to choose a new logo file. Choose **Reset** to reset your logo selection.
**Note**
The repository logo is only publicly visible in the Amazon ECR Public Gallery for verified accounts.
1. For **Short description** edit the description of the repository. The description field is displayed on the Amazon ECR Public Gallery in the search results and on the repository detail page.
1. For **Content types** select the operating system and system architecture tags to associate with the repository. These tags are publicly displayed in the Amazon ECR Public Gallery as badges on the repository and are used as search filters.
1. For **About**, enter a detailed description for the repository. This field is publicly visible on the Amazon ECR Public Gallery on the repository detail page. This text must be in the GitHub Flavored Markdown format. For examples, see [Specifying the repository catalog data in Amazon ECR public](public-repository-catalog-data.md).
1. For **Usage**, enter details about how to use the images in the repository. This field is publicly visible on the Amazon ECR Public Gallery on the repository detail page. This text must be in the GitHub Flavored Markdown format. For examples, see [Specifying the repository catalog data in Amazon ECR public](public-repository-catalog-data.md).
1. Choose **Save** to update the repository settings.
# Specifying the repository catalog data in Amazon ECR public
When you create a public repository, you specify the catalog data that helps users find, understand, and use the images in the repository. The catalog data that you configure for a public repository includes a short description, the operating system and system architecture compatibilities, an optional logo, an **About** section that provides a more detailed description, and an **Usage** section that provides details on how to use the images.
When you specify a logo, the logo is specified as a blob that's a base64-encoded string. The supported image dimensions for both height and width must be at least 60 pixels but can be up to 2048 pixels long. The maximum file size is 500 KB. To generate a blob from an existing PNG file, run the following command.
```
cat myrepoimage.png | base64
```
The text for the **About** and **Usage** must be in the GitHub Flavored Markdown format. When using the API, SDK, or AWS CLI to format the text, use `/n` to indicate a line break.
The following table provides examples for specifying certain element types in the `About` and `Usage` sections of your repository catalog data.
## Examples
The following are examples of how to format the **About** and **Usage** repository catalog data so that it appears properly on the Amazon ECR Public Gallery.
**Topics**
+ [Example: Headings](#example-headings)
+ [Example: Text formatting](#example-textformatting)
+ [Example: Code formatting](#example-codeformatting)
+ [Example: Links](#example-links)
+ [Example: Lists](#example-lists)
+ [Example: Full **About** description](#example-abouttext)
+ [Example: Full **Usage** description](#example-usagetext)
### Example: Headings
Headings are designated by the number sign (`#`). A single number sign and a space indicate a top-level heading, two number signs create a second-level heading, and three number signs create a third-level heading. This is illustrated in the following examples.
**AWS Management Console**
The following example is the format for headings in the console.
```
# Heading level one
Body text
## Heading level two
Body text
### Heading level three
Body text
```
**AWS CLI**
The following example is the format to use for headings in the AWS CLI.
```
# Heading level one\n\nBody text\n\n## Heading level two\n\nBody text\n\n### Heading level three\n\nBody text\n\n#### Heading level four\n\nBody text
```
### Example: Text formatting
You can use the following syntax to apply italics, bold, or strikethrough to text. The syntax is the same for both the console and the AWS CLI.
```
*This text appears in italics*
```
```
**This text appears in bold**
```
```
~~This text appears in strikethrough~~
```
### Example: Code formatting
You can use the following syntax for single-line and multi-line code blocks. The syntax is the same for both the console and the AWS CLI.
```
`code text`
```
```
```
multi-line
codeblock
```
```
### Example: Links
You can create a clickable web link by surrounding the `link_text` with square brackets and surrounding the full URL with parentheses. The syntax for is the same for both the console and the AWS CLI.
```
[What is Amazon Elastic Container Registry?](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html)
```
### Example: Lists
To format lines as part of a bulleted list, enter them on separate lines with a single asterisk and then a space at the beginning of the line. To format lines as part of a numbered list, enter them on separate lines with a number, period, and space at the beginning of the line.
**AWS Management Console**
The following example is the format to use for lists in the console.
```
* Bullet 1
* Bullet 2
* Bullet 3
```
```
1. Step one
2. Step two
3. Step three
```
**AWS CLI**
The following example is the format to use for lists in the AWS CLI.
```
* Bullet 1\n* Bullet 2\n* Bullet 3
```
```
1. Step one\n2. Step two\n3. Step three
```
### Example: Full **About** description
The following screenshot from the Amazon ECR Public Gallery displays how an **About** section is constructed. This section covers the format to use for this text when using both the AWS Management Console and the AWS CLI.
![\[Example - Repository About\]](http://docs.aws.amazon.com/AmazonECR/latest/public/images/catalog-data-about.png)
**AWS Management Console**
The following is the format to use for the preceding screenshot in the console.
```
## Quick reference
Maintained by: [the Amazon Linux Team](https://github.com/aws/amazon-linux-docker-images)
Where to get help: [the Docker Community Forums](https://forums.docker.com/), [the Docker Community Slack](https://dockr.ly/slack), or [Stack Overflow](https://stackoverflow.com/search?tab=newest&q=docker)
## Supported tags and respective `dockerfile` links
* [`2.0.20200722.0`, `2`, `latest`](https://github.com/amazonlinux/container-images/blob/03d54f8c4d522bf712cffd6c8f9aafba0a875e78/Dockerfile)
* [`2.0.20200722.0-with-sources`, `2-with-sources`, `with-sources`](https://github.com/amazonlinux/container-images/blob/1e7349845e029a2e6afe6dc473ef17d052e3546f/Dockerfile)
* [`2018.03.0.20200602.1`, `2018.03`, `1`](https://github.com/amazonlinux/container-images/blob/f10932e08c75457eeb372bf1cc47ea2a4b8e98c8/Dockerfile)
* [`2018.03.0.20200602.1-with-sources`, `2018.03-with-sources`, `1-with-sources`](https://github.com/amazonlinux/container-images/blob/8c9ee491689d901aa72719be0ec12087a5fa8faf/Dockerfile)
## What is Amazon Linux?
Amazon Linux is provided by Amazon Web Services. It is designed to provide a stable, secure, and high-performance execution environment for applications running on Amazon EC2. The full distribution includes packages that enable easy integration with Amazon Web Services, including launch configuration tools and many popular AWS libraries and tools. AWS provides ongoing security and maintenance updates to all instances running Amazon Linux.
The Amazon Linux container image contains a minimal set of packages. To install additional packages, [use `yum`](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-software.html).
Amazon Web Services provides two versions of Amazon Linux: [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2/) and [Amazon Linux AMI](https://aws.amazon.com/amazon-linux-ami/).
For information on security updates for Amazon Linux, please refer to [Amazon Linux 2 Security Advisories](https://alas.aws.amazon.com/alas2.html) and [Amazon Linux AMI Security Advisories](https://alas.aws.amazon.com/). Note that Docker Hub's vulnerability scanning for Amazon Linux is currently based on RPM versions, which does not reflect the state of backported patches for vulnerabilities.
## Where can I run Amazon Linux container images?
You can run Amazon Linux container images in any Docker based environment. Examples include, your laptop, in Amazon EC2 instances, and Amazon ECS clusters.
## License
Amazon Linux is available under the [GNU General Public License, version 2.0](https://github.com/aws/amazon-linux-docker-images/blob/master/LICENSE). Individual software packages are available under their own licenses; run `rpm -qi [package name]` or check `/usr/share/doc/[package name]-*` and `/usr/share/licenses/[package name]-*` for details.
As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
Some additional license information which was able to be auto-detected might be found in [the `repo-info` repository's `amazonlinux/` directory](https://github.com/docker-library/repo-info/tree/master/repos/amazonlinux).
## Security
For information on security updates for Amazon Linux, please refer to [Amazon Linux 2 Security Advisories](https://alas.aws.amazon.com/alas2.html) and [Amazon Linux AMI Security Advisories](https://alas.aws.amazon.com/). Note that Docker Hub's vulnerability scanning for Amazon Linux is currently based on RPM versions, which does not reflect the state of backported patches for vulnerabilities.
```
**AWS CLI**
The following is the format to use for the preceding screenshot in the AWS CLI.
```
## Quick reference\n\nMaintained by: [the Amazon Linux Team](https://github.com/aws/amazon-linux-docker-images)\n\nWhere to get help: [the Docker Community Forums](https://forums.docker.com/), [the Docker Community Slack](https://dockr.ly/slack), or [Stack Overflow](https://stackoverflow.com/search?tab=newest&q=docker)\n\n## Supported tags and respective `dockerfile` links\n\n* [`2.0.20200722.0`, `2`, `latest`](https://github.com/amazonlinux/container-images/blob/03d54f8c4d522bf712cffd6c8f9aafba0a875e78/Dockerfile)\n* [`2.0.20200722.0-with-sources`, `2-with-sources`, `with-sources`](https://github.com/amazonlinux/container-images/blob/1e7349845e029a2e6afe6dc473ef17d052e3546f/Dockerfile)\n* [`2018.03.0.20200602.1`, `2018.03`, `1`](https://github.com/amazonlinux/container-images/blob/f10932e08c75457eeb372bf1cc47ea2a4b8e98c8/Dockerfile)\n* [`2018.03.0.20200602.1-with-sources`, `2018.03-with-sources`, `1-with-sources`](https://github.com/amazonlinux/container-images/blob/8c9ee491689d901aa72719be0ec12087a5fa8faf/Dockerfile)\n\n## What is Amazon Linux?\n\nAmazon Linux is provided by Amazon Web Services (AWS). It is designed to provide a stable, secure, and high-performance execution environment for applications running on Amazon EC2. The full distribution includes packages that enable easy integration with AWS, including launch configuration tools and many popular AWS libraries and tools. AWS provides ongoing security and maintenance updates to all instances running Amazon Linux.\n\nThe Amazon Linux container image contains a minimal set of packages. To install additional packages, [use `yum`](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-software.html).\n\nAWS provides two versions of Amazon Linux: [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2/) and [Amazon Linux AMI](https://aws.amazon.com/amazon-linux-ami/).\n\nFor information on security updates for Amazon Linux, please refer to [Amazon Linux 2 Security Advisories](https://alas.aws.amazon.com/alas2.html) and [Amazon Linux AMI Security Advisories](https://alas.aws.amazon.com/). Note that Docker Hub's vulnerability scanning for Amazon Linux is currently based on RPM versions, which does not reflect the state of backported patches for vulnerabilities.\n\n## Where can I run Amazon Linux container images?\n\nYou can run Amazon Linux container images in any Docker based environment. Examples include, your laptop, in Amazon EC2 instances, and Amazon ECS clusters.\n\n## License\n\nAmazon Linux is available under the [GNU General Public License, version 2.0](https://github.com/aws/amazon-linux-docker-images/blob/master/LICENSE). Individual software packages are available under their own licenses; run `rpm -qi [package name]` or check `/usr/share/doc/[package name]-*` and `/usr/share/licenses/[package name]-*` for details.\n\nAs with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).\n\nSome additional license information which was able to be auto-detected might be found in [the `repo-info` repository's `amazonlinux/` directory](https://github.com/docker-library/repo-info/tree/master/repos/amazonlinux).\n\n## Security\n\nFor information on security updates for Amazon Linux, please refer to [Amazon Linux 2 Security Advisories](https://alas.aws.amazon.com/alas2.html) and [Amazon Linux AMI Security Advisories](https://alas.aws.amazon.com/). Note that Docker Hub's vulnerability scanning for Amazon Linux is currently based on RPM versions, which does not reflect the state of backported patches for vulnerabilities.
```
### Example: Full **Usage** description
The following screenshot from the Amazon ECR Public Gallery displays how an **Usage** section is constructed. This section covers how to format this text using both the AWS Management Console and the AWS CLI.
![\[Example - Repository Usage\]](http://docs.aws.amazon.com/AmazonECR/latest/public/images/catalog-data-usage.png)
**AWS Management Console**
The following is the format to use for the preceding screenshot in the console.
```
## Supported architectures
amd64, arm64v8
## Where can I run Amazon Linux container images?
You can run Amazon Linux container images in any Docker based environment. Examples include, your laptop, in Amazon EC2 instances, and Amazon ECS clusters.
## How do I install a software package from Extras repository in Amazon Linux 2?
Available packages can be listed with the `amazon-linux-extras` command. Packages can be installed with the `amazon-linux-extras install ` command. Example: `amazon-linux-extras install rust1`
## Will updates be available for Amazon Linux containers?
Similar to the Amazon Linux images for Amazon EC2 and on-premises use, Amazon Linux container images will get ongoing updates from Amazon in the form of security updates, bug fix updates, and other enhancements. Security bulletins for Amazon Linux are available at https://alas.aws.amazon.com/
## Will Amazon Web Services support the current version of Amazon Linux going forward?
Yes; in order to avoid any disruption to your existing applications and to facilitate migration to Amazon Linux 2, AWS will provide regular security updates for Amazon Linux 2018.03 AMI and container image for 2 years after the final LTS build is announced. You can also use all your existing support channels such as Support and Amazon Linux Discussion Forum to continue to submit support requests.
```
**AWS CLI**
The following is the format to use for the preceding screenshot in the AWS CLI.
```
## Supported architectures\n\namd64, arm64v8\n\n## Where can I run Amazon Linux container images?\n\nYou can run Amazon Linux container images in any Docker based environment. Examples include, your laptop, in Amazon EC2 instances, and ECS clusters.\n\n## How do I install a software package from Extras repository in Amazon Linux 2?\n\nAvailable packages can be listed with the `amazon-linux-extras` command. Packages can be installed with the `amazon-linux-extras install ` command. Example: `amazon-linux-extras install rust1`\n\n## Will updates be available for Amazon Linux containers?\n\nSimilar to the Amazon Linux images for Amazon EC2 and on-premises use, Amazon Linux container images will get ongoing updates from Amazon in the form of security updates, bug fix updates, and other enhancements. Security bulletins for Amazon Linux are available at https://alas.aws.amazon.com/\n\n## Will Support the current version of Amazon Linux going forward?\n\nYes; in order to avoid any disruption to your existing applications and to facilitate migration to Amazon Linux 2, AWS will provide regular security updates for Amazon Linux 2018.03 AMI and container image for 2 years after the final LTS build is announced. You can also use all your existing support channels such as Support and Amazon Linux Discussion Forum to continue to submit support requests.
```
# Viewing the contents and details of a repository in Amazon ECR public
After you create a public repository, you can view details about it in the AWS Management Console. For each image in the repository, you can view the image size, the URI for pulling the image, the SHA digest, the image tags, and the time when the image was last pushed. You can review the catalog data for the Amazon ECR Public Gallery. You can also see the repository permission policies that are associated with the repository.
**Note**
Beginning with Docker version 1.9, the Docker client compresses image layers before pushing them to a V2 Docker registry. The output of the **docker images** command shows the uncompressed image size. Therefore, the image size that's returned might be larger than the image sizes that are shown in the AWS Management Console.
**To view public repository information**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the Region that the repository to view is in.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, select the **Public** tab, and then choose the repository to view the details of.
1. On the **Repositories > *repository\$1name*** page, choose **View public listing** to navigate to the repository detail page in the Amazon ECR Public Gallery in a new tab or use the navigation bar to view more details about the repository.
+ Choose **Images** to view information about the images in the repository. If there are untagged images that you want to delete, you can select the box to the left of the repositories to delete and choose **Delete**. For more information, see [Deleting an image in a public repository in Amazon ECR public](public-image-delete.md).
+ Choose **Gallery detail** to view the public catalog data for the repository.
+ Choose **Permissions** to view the repository policies that are applied to the repository. For more information, see [Public repository policies in Amazon ECR Public](public-repository-policies.md).
# Deleting a public repository policy statement Amazon ECR public
If you're finished using a repository, you can delete it. When you delete a repository in the AWS Management Console, all of the images that are contained in the repository are also deleted. This action can't be undone.
**To delete a public repository**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the AWS Region that contains the repository to delete.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, select the **Public** tab, and then select the repository to delete and choose **Delete**.
1. In the **Delete *repository\$1name*** window, double check the repositories that you selected to delete and choose **Delete**.
**Important**
Any images in the selected repositories are also deleted.
# Public repository policies in Amazon ECR Public
Amazon ECR uses resource-based permissions to control access to public repositories. When a public repository is created, it is publicly visible on the Amazon ECR Public Gallery and anyone can pull images from the repository. By default however, only the repository owner has access to push to the repository. With resource-based permissions, you specify which users, or roles have access to push to a public repository and what additional actions they can perform on it. You can apply a policy document to allow additional permissions to your repository.
**Note**
All public repositories are visible on the Amazon ECR Public Gallery. Using a repository policy to deny access to view or pull from a public repository is not supported.
## Repository policies vs IAM policies
Amazon ECR public repository policies are a subset of IAM policies that are both scoped for and specifically used for controlling access to individual Amazon ECR repositories. In general, you use IAM policies to apply permissions for the entire Amazon ECR service. However, you can also use IAM policies to control access to specific resources.
For determining which actions a specific IAM user or role might perform on a repository, you use both Amazon ECR repository policies and IAM policies. If a user or role is allowed to perform an action through a repository policy but is denied permission through an IAM policy, the action is denied. Similarly, if a user or role is denied permission through an IAM policy even though that identity is allowed to perform an action, the action is denied. You can grant a user or role permission for an action through either a repository policy or an IAM policy, but you can't grant permission both ways.
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.
You can use either of these policy types to control access to your public repositories, as shown in the following examples.
This example shows an Amazon ECR public repository policy, which allows for a specific IAM user to describe the repository and the images within the repository.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "ECR Public Repository Policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/username"
},
"Action": [
"ecr-public:DescribeImages",
"ecr-public:DescribeRepositories"
],
"Resource": "*"
}]
}
```
------
This example shows an IAM policy that achieves the same goal as the preceding example. In this example, the policy is scoped to a public repository (specified by the full Amazon Resource Name (ARN) of the public repository) using the resource parameter. For more information about ARN format, see [Resources](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-resources).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "ECR Public Repository Policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/username"
},
"Action": [
"ecr-public:DescribeImages",
"ecr-public:DescribeRepositories"
],
"Resource": [
"arn:aws:ecr-public::111122223333:repository/repository-name"
]
}]
}
```
------
**Topics**
+ [Repository policies vs IAM policies](#repository-policy-vs-iam-policy)
+ [Setting a repository policy statement in Amazon ECR Public](set-public-repository-policy.md)
+ [Deleting a public repository policy statement in Amazon ECR Public](delete-public-repository-policy.md)
+ [Public repository policy examples in Amazon ECR Public](public-repository-policy-examples.md)
# Setting a repository policy statement in Amazon ECR Public
You can add an access policy statement to a public repository in the AWS Management Console by following these steps. You can add multiple policy statements per public repository. For example policies, see [Public repository policy examples in Amazon ECR Public](public-repository-policy-examples.md).
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.
**To set a repository policy statement**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the AWS Region that contains the repository to set a policy statement on.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, select the **Public** tab, and then choose the repository to set a policy statement on.
1. In the navigation pane, choose **Permissions**, **Edit**.
1. On the **Edit permissions** page, choose **Add statement**.
1. For **Statement name**, enter a name for the statement.
1. For **Effect**, choose whether the policy statement results in an allow or an explicit deny.
**Note**
All public repositories are visible on the Amazon ECR Public Gallery. Using a repository policy to deny access to view or pull from a public repository is not supported.
1. For **Principal**, choose the scope to apply the policy statement to. For more information, see [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
+ You can apply the statement to all authenticated AWS users by selecting the **Everyone (\$1)** check box.
+ For **Service principal**, specify the service principal name (for example, `ecs.amazonaws.com`) to apply the statement to a specific service.
+ For **AWS Account IDs**, specify an AWS account number (for example, `111122223333`) to apply the statement to all users under a specific AWS account. Multiple accounts can be specified by using a comma-separated list.
+ For **IAM Entities**, select the roles or users under your AWS account to apply the statement to.
**Note**
For more complicated repository policies that are not currently supported in the AWS Management Console, you can apply the policy with the [https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html](https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html) AWS CLI command.
1. For **Actions**, choose the scope of the Amazon ECR API operations that the policy statement applies to from the list of individual API operations.
1. When you're finished, choose **Save** to set the policy.
1. Repeat the previous step for each repository policy to add.
# Deleting a public repository policy statement in Amazon ECR Public
If you no longer want an existing repository policy statement to apply to a repository, you can delete it.
**To delete a repository policy statement**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the Region that contains the repository to delete a policy statement from.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, select the **Public** tab, and then choose the repository to delete a policy statement from.
1. In the navigation pane, choose **Permissions**, **Edit**.
1. On the **Edit permissions** page, choose **Delete**.
# Public repository policy examples in Amazon ECR Public
The following examples show policy statements that you use to control the permissions that users have to your public repositories.
**Note**
All public repositories are visible on the Amazon ECR Public Gallery. Using a repository policy to deny access to view or pull from a public repository is not supported.
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.
## Example: Allow an IAM user within your account
The following repository policy allows users within your account to push images.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowPush",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/push-pull-user-1",
"arn:aws:iam::111122223333:user/push-pull-user-2"
]
},
"Action": [
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:PutImage",
"ecr-public:InitiateLayerUpload",
"ecr-public:UploadLayerPart",
"ecr-public:CompleteLayerUpload"
],
"Resource": "*"
}
]
}
```
------
## Example: Allow another account
The following repository policy allows a specific account to push images.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPush",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:PutImage",
"ecr-public:InitiateLayerUpload",
"ecr-public:UploadLayerPart",
"ecr-public:CompleteLayerUpload"
],
"Resource": "*"
}
]
}
```
------
# Tag an Amazon ECR Public repository
To help you manage your Amazon ECR Public repositories, you can optionally assign your own metadata to each repository by using *tags*. This topic provides an overview about tags and how to create them.
## Tag basics
A tag is a label that you assign to an AWS resource. Each tag consists of a *key* and an optional *value*. You define both of them.
You can use tags to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type. This is because you can quickly identify a specific resource based on the tags you've assigned to it. For example, you can define a set of tags for your account's Amazon ECR Public repositories to track each repository's owner.
We recommend that you devise a set of tag keys that meets your specific needs. Using a consistent set of tag keys can help you keep better track of your resources and find specific resources quickly. That is, you can search and filter the resources based on the specific tags that you add.
Tags don't have any semantic meaning to Amazon ECR and are interpreted strictly as a string of characters. Tags aren't automatically assigned to your resources. You can edit tag keys and values, and you can remove tags from a resource at any time. You can set the value of a tag to an empty string. However, you can't set the value of a tag to null. If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value. If you delete a resource, any tags for the resource are also deleted.
You can work with tags using the AWS Management Console, the AWS CLI, and the Amazon ECR Public API.
If you're using AWS Identity and Access Management (IAM), you can control which users in your AWS account have permission to manage tags.
## Tagging your resources
You can tag new or existing Amazon ECR Public repositories.
If you're using the Amazon ECR console, you can apply tags to new resources when they're created or to existing resources by using the **Tags** option on the navigation pane at any time.
If you're using the Amazon ECR Public API, the AWS CLI, or an AWS SDK, you can apply tags to new repositories using the `tags` parameter on the `CreateRepository` API action or use the `TagResource` API action to apply tags to existing resources. For more information, see [TagResource](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_TagResource.html).
Additionally, if tags can't be applied when a repository is created, the repository creation process is rolled back. This ensures that repositories are either created with tags or not created at all and that no repositories are left untagged at any time. By tagging repositories when they're created, you eliminate the need to run custom tagging scripts after the repository is created.
# Adding tags to a public repository in Amazon ECR public
You can add tags to a public repository.
For information about names and best practices for tags, see [Tag naming limits and requirements](https://docs.aws.amazon.com//tag-editor/latest/userguide/tagging.html#tag-conventions) and [Best practices](https://docs.aws.amazon.com//tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging AWS Resources User Guide*.
When you select a specific repository in the Amazon ECR console, you can view the tags by selecting **Tags** in the navigation pane.
------
#### [ AWS Management Console ]
**To add a tag to a public repository**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/](https://console.aws.amazon.com/ecr/).
1. From the navigation bar, select the AWS Region to use.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, on the **Public** tab, choose the repository to view.
1. On the **Repositories > *repository\$1name*** page, select **Tags** from the navigation pane.
1. On the **Tags** page, select **Add tags**, **Add tag**.
1. On the **Edit Tags** page, specify the key and value for each tag, and then choose **Save**.
------
#### [ AWS CLI ]
You can add or overwrite one or more tags by using the AWS CLI or an API.
+ AWS CLI - [tag-resource](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_TagResource.html)
+ API action - [TagResource](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_UntagResource.html)
The following examples show how to manage tags using the AWS CLI.
**Example 1: Tag an existing public repository**
The following command tags an existing public repository.
```
aws ecr-public tag-resource \
--resource-arn arn:aws:ecr-public::account_id:repository/repository_name \
--tags Key=stack,Value=dev \
--region us-east-1
```
**Example 2: Tag an existing public repository with multiple tags**
The following command tags an existing repository.
```
aws ecr-public tag-resource \
--resource-arn arn:aws:ecr-public::account_id:repository/repository_name \
--tags Key=key1,Value=value1 Key=key2,Value=value2 Key=key3,Value=value3 \
--region us-east-1
```
**Example 3: List tags for a public repository**
The following command lists the tags that are associated with an existing public repository.
```
aws ecr-public list-tags-for-resource \
--resource-arn arn:aws:ecr-public::account_id:repository/repository_name \
--region us-east-1
```
**Example 4: Create a public repository and apply a tag**
The following command creates a public repository that's named `test-repo` and adds a tag with key `team` and value `devs`.
```
aws ecr-public create-repository \
--repository-name test-repo \
--tags Key=team,Value=devs \
--region us-east-1
```
------
# Deleting tags from a public repository in Amazon ECR public
You can delete tags from an individual resource.
------
#### [ AWS Management Console ]
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/](https://console.aws.amazon.com/ecr/).
1. From the navigation bar, select the Region to use.
1. On the **Repositories** page, on the **Public** tab, choose the repository to view.
1. On the **Repositories > *repository\$1name*** page, select **Tags** from the navigation pane.
1. On the **Tags** page, select **Edit**.
1. On the **Edit tags** page, select **Remove** for each tag you want to delete, and choose **Save**.
------
#### [ AWS CLI ]
You can delete one or more tags by using the AWS CLI or an API.
+ AWS CLI - [untag-resource](https://docs.aws.amazon.com/cli/latest/reference/ecr-public/untag-resource.html)
+ API action - [UntagResource](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_UntagResource.html)
The following example shows how to delete a tag from an existing public repository.
```
aws ecr-public untag-resource \
--resource-arn arn:aws:ecr-public::account_id:repository/repository_name \
--tag-keys tag_key \
--region us-east-1
```
------