I have desperately looked for documentation, examples, and posts that hint at a way to restrict certain policies to certain Docker image tags, but haven't been able to find a single example or even a request where someone else has sought to do the same. It's also unfortunate that so much documentation for AWS metadata-type tags (The wrong type of tag) shows up in the search result.
I naively tried to set the tag into the resource value, but was able to access it fro ma test-user without a problem. Of course, I may have inadvertently added the wrong kind of access, too, but then I found it difficult to determine which permissions were generally responsible for allowing docker-pulls and which permissions specifically related to pulling tags (if any).
My attempt involved attaching both the "AmazonEC2ContainerRegistryReadOnly" managed-policy and a second policy that had the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy"
],
"Resource": "arn:aws:ecr:us-east-1:326764833890:repository/*:development-latest"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ecr:GetRegistryPolicy",
"ecr:DescribeRegistry",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
Is restricting to certain Docker-image tags supported? Am I missing something else, above?
Thank you.
