# Public repository policies in Amazon ECR Public
Amazon ECR uses resource-based permissions to control access to public repositories. When a public repository is created, it is publicly visible on the Amazon ECR Public Gallery and anyone can pull images from the repository. By default however, only the repository owner has access to push to the repository. With resource-based permissions, you specify which users, or roles have access to push to a public repository and what additional actions they can perform on it. You can apply a policy document to allow additional permissions to your repository.
**Note**
All public repositories are visible on the Amazon ECR Public Gallery. Using a repository policy to deny access to view or pull from a public repository is not supported.
## Repository policies vs IAM policies
Amazon ECR public repository policies are a subset of IAM policies that are both scoped for and specifically used for controlling access to individual Amazon ECR repositories. In general, you use IAM policies to apply permissions for the entire Amazon ECR service. However, you can also use IAM policies to control access to specific resources.
For determining which actions a specific IAM user or role might perform on a repository, you use both Amazon ECR repository policies and IAM policies. If a user or role is allowed to perform an action through a repository policy but is denied permission through an IAM policy, the action is denied. Similarly, if a user or role is denied permission through an IAM policy even though that identity is allowed to perform an action, the action is denied. You can grant a user or role permission for an action through either a repository policy or an IAM policy, but you can't grant permission both ways.
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.
You can use either of these policy types to control access to your public repositories, as shown in the following examples.
This example shows an Amazon ECR public repository policy, which allows for a specific IAM user to describe the repository and the images within the repository.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "ECR Public Repository Policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/username"
},
"Action": [
"ecr-public:DescribeImages",
"ecr-public:DescribeRepositories"
],
"Resource": "*"
}]
}
```
------
This example shows an IAM policy that achieves the same goal as the preceding example. In this example, the policy is scoped to a public repository (specified by the full Amazon Resource Name (ARN) of the public repository) using the resource parameter. For more information about ARN format, see [Resources](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-resources).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "ECR Public Repository Policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/username"
},
"Action": [
"ecr-public:DescribeImages",
"ecr-public:DescribeRepositories"
],
"Resource": [
"arn:aws:ecr-public::111122223333:repository/repository-name"
]
}]
}
```
------
**Topics**
+ [Repository policies vs IAM policies](#repository-policy-vs-iam-policy)
+ [Setting a repository policy statement in Amazon ECR Public](set-public-repository-policy.md)
+ [Deleting a public repository policy statement in Amazon ECR Public](delete-public-repository-policy.md)
+ [Public repository policy examples in Amazon ECR Public](public-repository-policy-examples.md)
# Setting a repository policy statement in Amazon ECR Public
You can add an access policy statement to a public repository in the AWS Management Console by following these steps. You can add multiple policy statements per public repository. For example policies, see [Public repository policy examples in Amazon ECR Public](public-repository-policy-examples.md).
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.
**To set a repository policy statement**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the AWS Region that contains the repository to set a policy statement on.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, select the **Public** tab, and then choose the repository to set a policy statement on.
1. In the navigation pane, choose **Permissions**, **Edit**.
1. On the **Edit permissions** page, choose **Add statement**.
1. For **Statement name**, enter a name for the statement.
1. For **Effect**, choose whether the policy statement results in an allow or an explicit deny.
**Note**
All public repositories are visible on the Amazon ECR Public Gallery. Using a repository policy to deny access to view or pull from a public repository is not supported.
1. For **Principal**, choose the scope to apply the policy statement to. For more information, see [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
+ You can apply the statement to all authenticated AWS users by selecting the **Everyone (\$1)** check box.
+ For **Service principal**, specify the service principal name (for example, `ecs.amazonaws.com`) to apply the statement to a specific service.
+ For **AWS Account IDs**, specify an AWS account number (for example, `111122223333`) to apply the statement to all users under a specific AWS account. Multiple accounts can be specified by using a comma-separated list.
+ For **IAM Entities**, select the roles or users under your AWS account to apply the statement to.
**Note**
For more complicated repository policies that are not currently supported in the AWS Management Console, you can apply the policy with the [https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html](https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html) AWS CLI command.
1. For **Actions**, choose the scope of the Amazon ECR API operations that the policy statement applies to from the list of individual API operations.
1. When you're finished, choose **Save** to set the policy.
1. Repeat the previous step for each repository policy to add.
# Deleting a public repository policy statement in Amazon ECR Public
If you no longer want an existing repository policy statement to apply to a repository, you can delete it.
**To delete a repository policy statement**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the Region that contains the repository to delete a policy statement from.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, select the **Public** tab, and then choose the repository to delete a policy statement from.
1. In the navigation pane, choose **Permissions**, **Edit**.
1. On the **Edit permissions** page, choose **Delete**.
# Public repository policy examples in Amazon ECR Public
The following examples show policy statements that you use to control the permissions that users have to your public repositories.
**Note**
All public repositories are visible on the Amazon ECR Public Gallery. Using a repository policy to deny access to view or pull from a public repository is not supported.
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.
## Example: Allow an IAM user within your account
The following repository policy allows users within your account to push images.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowPush",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/push-pull-user-1",
"arn:aws:iam::111122223333:user/push-pull-user-2"
]
},
"Action": [
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:PutImage",
"ecr-public:InitiateLayerUpload",
"ecr-public:UploadLayerPart",
"ecr-public:CompleteLayerUpload"
],
"Resource": "*"
}
]
}
```
------
## Example: Allow another account
The following repository policy allows a specific account to push images.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPush",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:PutImage",
"ecr-public:InitiateLayerUpload",
"ecr-public:UploadLayerPart",
"ecr-public:CompleteLayerUpload"
],
"Resource": "*"
}
]
}
```
------