Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new values for ECRAccessPolicy that include ecr:BatchImportUpstreamImage #1270

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Add new values for ECRAccessPolicy that include ecr:BatchImportUpstreamImage #1270

wants to merge 5 commits into from

Conversation

triarius
Copy link
Contributor

@triarius triarius commented Dec 7, 2023
edited

This IAM permission is necessary to use an ECR pull through cache. Technically, it is not readonly, as images will be written to the pull though cache on cache misses. Surprisingly, it is not in poweruser either. But we think customers will want to give Stacks the ability to use pull through caches without giving full permissions.

See https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html for more details.

@triarius triarius requested a review from a team December 7, 2023 02:51
yob
yob reviewed Dec 7, 2023
View reviewed changes
templates/aws-stack.yml
Statement:
- Effect: Allow
Action:
- ecr:BatchImportUpstreamImage
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you may also want ecr:CreateRepository here. That permission is required for the first pull of a new image that's never been cached before. After that, ecr:BatchImportUpstreamImage is enough to pull new tags of the image into the repository.

Copy link
Contributor Author

@triarius triarius Dec 7, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, the docs state it as

Grants permission to create a repository in a private registry.

but the "repository" is just the part of the image w/o the tag.

@triarius
Add ecr:CreateRepository
cc346a5 
This is needed for create the repository for the image in the pull-through cache. While there is a risk that users could create repositories in non-pull-through caches, they won't necessarily be able to upload any layers to that repository.
@triarius
Add missing maps
f05a53a
@triarius
s/+pullthrough/-pullthrough/g
68d92cc 
+ is not a valid character in a mapping name for CloudFormation, even
  though it is for YAML.
@triarius
Copy link
Contributor Author

triarius commented Dec 7, 2023

This turned into more of a saga than I thought. I'm going put it back to draft and rework it a little.

@triarius triarius marked this pull request as draft December 7, 2023 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yob yob yob left review comments

@DrJosh9000 DrJosh9000 DrJosh9000 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@triarius @yob @DrJosh9000