# Private repository policies in Amazon ECR Repository policies Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let you specify which users or roles have access to a repository and what actions they can perform on the repository. By default, only the AWS account that created the repository has access to the repository. You can apply a repository policy that allows additional access to your repository. **Topics** + [ ## Repository policies vs IAM policies ](#repository-policy-vs-iam-policy) + [ # Private repository policy examples in Amazon ECR ](repository-policy-examples.md) + [ # Setting a private repository policy statement in Amazon ECR ](set-repository-policy.md) ## Repository policies vs IAM policies Amazon ECR repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual Amazon ECR repositories. IAM policies are generally used to apply permissions for the entire Amazon ECR service but can also be used to control access to specific resources as well. Both Amazon ECR repository policies and IAM policies are used when determining which actions a specific user or role may perform on a repository. If a user or role is allowed to perform an action through a repository policy but is denied permission through an IAM policy (or vice versa) then the action will be denied. A user or role only needs to be allowed permission for an action through either a repository policy or an IAM policy but not both for the action to be allowed. **Important** Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. Amazon ECR provides several managed IAM policies to control user access at varying levels. For more information, see [Amazon Elastic Container Registry Identity-based policy examples](security_iam_id-based-policy-examples.md). You can use either of these policy types to control access to your repositories, as shown in the following examples. This example shows an Amazon ECR repository policy, which allows for a specific user to describe the repository and the images within the repository. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ECRRepositoryPolicy", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/username"}, "Action": [ "ecr:DescribeImages", "ecr:DescribeRepositories" ], "Resource": "*" } ] } ``` ------ This example shows an IAM policy that achieves the same goal as above, by scoping the policy to a repository (specified by the full ARN of the repository) using the resource parameter. For more information about Amazon Resource Name (ARN) format, see [Resources](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-resources). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowDescribeRepoImage", "Effect": "Allow", "Action": [ "ecr:DescribeImages", "ecr:DescribeRepositories" ], "Resource": ["arn:aws:ecr:us-east-1:111122223333:repository/repository-name"] } ] } ``` ------ # Private repository policy examples in Amazon ECR Repository policy examples **Important** The repository policy examples on this page are meant to be applied to Amazon ECR private repositories. They will not work properly if used with an IAM principal directly unless modified to specify the Amazon ECR repository as the resource. For more information on setting repository policies, see [Setting a private repository policy statement in Amazon ECR](set-repository-policy.md). Amazon ECR repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual Amazon ECR repositories. IAM policies are generally used to apply permissions for the entire Amazon ECR service but can also be used to control access to specific resources as well. For more information, see [Repository policies vs IAM policies](repository-policies.md#repository-policy-vs-iam-policy). The following repository policy examples show permission statements that you could use to control access to your Amazon ECR private repositories. **Important** Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. Amazon ECR provides several managed IAM policies to control user access at varying levels. For more information, see [Amazon Elastic Container Registry Identity-based policy examples](security_iam_id-based-policy-examples.md). ## Example: Allow one or more users The following repository policy allows one or more users to push and pull images to and from a repository. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:user/push-pull-user-1", "arn:aws:iam::111122223333:user/push-pull-user-2" ] }, "Action": [ "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:GetDownloadUrlForLayer", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "*" } ] } ``` ------ ## Example: Allow another account The following repository policy allows a specific account to push images. **Important** The account you are granting permissions to must have the Region you are creating the repository policy in enabled, otherwise an error will occur. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowCrossAccountPush", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "*" } ] } ``` ------ The following repository policy allows some users to pull images (*pull-user-1* and *pull-user-2*) while providing full access to another (*admin-user*). **Note** For more complicated repository policies that are not currently supported in the AWS Management Console, you can apply the policy with the [https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html](https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html) AWS CLI command. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:user/pull-user-1", "arn:aws:iam::111122223333:user/pull-user-2" ] }, "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "*" }, { "Sid": "AllowAll", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/admin-user" }, "Action": [ "ecr:*" ], "Resource": "*" } ] } ``` ------ ## Example: Deny all The following repository policy denies all users in all accounts the ability to pull images. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyPull", "Effect": "Deny", "Principal": "*", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "*" } ] } ``` ------ ## Example: Restricting access to specific IP addresses The following example denies permissions to any user to perform any Amazon ECR operations when applied to a repository from a specific range of addresses. The condition in this statement identifies the `54.240.143.*` range of allowed Internet Protocol version 4 (IPv4) IP addresses. The `Condition` block uses the `NotIpAddress` conditions and the `aws:SourceIp` condition key, which is an AWS-wide condition key. For more information about these condition keys, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). The `aws:sourceIp` IPv4 values use the standard CIDR notation. For more information, see [IP Address Condition Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IPAddress) in the *IAM User Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Id": "ECRPolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Deny", "Principal": "*", "Action": "ecr:*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": "54.240.143.0/24" } } } ] } ``` ------ ## Example: Allow an AWS service The following repository policy allows AWS CodeBuild access to the Amazon ECR API actions necessary for integration with that service. When using the following example, you should use the `aws:SourceArn` and `aws:SourceAccount` condition keys to scope which resources can assume these permissions. For more information, see [Amazon ECR sample for CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html) in the *AWS CodeBuild User Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"CodeBuildAccess", "Effect":"Allow", "Principal":{ "Service":"codebuild.amazonaws.com" }, "Action":[ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "*", "Condition":{ "ArnLike":{ "aws:SourceArn":"arn:aws:codebuild:us-east-1:123456789012:project/project-name" }, "StringEquals":{ "aws:SourceAccount":"123456789012" } } } ] } ``` ------ # Setting a private repository policy statement in Amazon ECR Setting a repository policy statement You can add an access policy statement to a repository in the AWS Management Console by following the steps below. You can add multiple policy statements per repository. For example policies, see [Private repository policy examples in Amazon ECR](repository-policy-examples.md). **Important** Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. Amazon ECR provides several managed IAM policies to control user access at varying levels. For more information, see [Amazon Elastic Container Registry Identity-based policy examples](security_iam_id-based-policy-examples.md). **To set a repository policy statement** 1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories). 1. From the navigation bar, choose the Region that contains the repository to set a policy statement on. 1. In the navigation pane, choose **Repositories**. 1. On the **Repositories** page, choose the repository to set a policy statement on to view the contents of the repository. 1. From the repository image list view, in the navigation pane, choose **Permissions**, **Edit**. **Note** If you don't see the **Permissions** option in the navigation pane, ensure that you are in the repository image list view. 1. On the **Edit permissions** page, choose **Add statement**. 1. For **Statement name**, enter a name for the statement. 1. For **Effect**, choose whether the policy statement will result in an allow or an explicit deny. 1. For **Principal**, choose the scope to apply the policy statement to. For more information, see [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*. + You can apply the statement to all authenticated AWS users by selecting the **Everyone (\$1)** check box. + For **Service principal**, specify the service principal name (for example, `ecs.amazonaws.com`) to apply the statement to a specific service. + For **AWS Account IDs**, specify an AWS account number (for example, `111122223333`) to apply the statement to all users under a specific AWS account. Multiple accounts can be specified by using a comma delimited list. **Important** The account you are granting permissions to must have the Region you are creating the repository policy in enabled, otherwise an error will occur. + For **IAM Entities**, select the roles or users under your AWS account to apply the statement to. **Note** For more complicated repository policies that are not currently supported in the AWS Management Console, you can apply the policy with the [https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html](https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html) AWS CLI command. 1. For **Actions**, choose the scope of the Amazon ECR API operations that the policy statement should apply to from the list of individual API operations. 1. When you are finished, choose **Save** to set the policy. 1. Repeat the previous step for each repository policy to add.