docker-build-with-cache-action icon indicating copy to clipboard operation
docker-build-with-cache-action copied to clipboard

Published 20 hours ago verified publisher icon whoan

AWS ECR: Minimal permissions

Open estrehle opened this issue 3 years ago • 1 comments

First of all, thank you for writing this! The caching works like a charm.

For the AWS ECR example, it might be helpful to add the minimal IAM permissions required to run this action. I got it to work with the following policy. But I am not 100% sure all of them are necessary. Would appreciate your feedback.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetAuthorizationToken",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowCreateRepository",
            "Effect": "Allow",
            "Action": "ecr:CreateRepository",
            "Resource": "*"
        },
        {
            "Sid": "AllowPullAndPush",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:ListImages",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
            ],
            "Resource": "arn:aws:ecr:us-west-1:861729690598:repository/*"
        }
    ]
}

estrehle avatar Jul 13 '21 09:07 estrehle

@estrehle I don't remember to have dealt with permission issues when I tested the actin in aws. Did you came up with the minimal cfg needed to run the action in AWS? It would be great if you can share it as a PR or a comment here.

whoan avatar Nov 11 '21 18:11 whoan

Closing as I didn't hear back and I didn't have to set a policy to use the action (I used a user with full permissions)... ~Specifying the minimal permissions is out of the scope of this action but~ this link may be helpful: https://transang.me/aws-roles-to-push-docker-image-to-elastic-container-registry/

whoan avatar Oct 16 '22 13:10 whoan

Actually, I've come up with the minimal set of permissions both for private and public ECR:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PrivateECR",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:CreateRepository",
                "ecr:ListImages",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PublicECR",
            "Effect": "Allow",
            "Action": [
                "sts:GetServiceBearerToken",
                "ecr-public:DescribeRegistries",
                "ecr-public:GetAuthorizationToken",
                "ecr-public:CreateRepository",
                "ecr-public:DescribeImageTags",
                "ecr-public:InitiateLayerUpload",
                "ecr-public:UploadLayerPart",
                "ecr-public:CompleteLayerUpload",
                "ecr-public:BatchCheckLayerAvailability",
                "ecr-public:PutImage"
            ],
            "Resource": "*"
        }
    ]
}

It's still coarse-grained (I am not specifying the resources) so once i have some more time to spend on it, I will add the needed permissions to the readme.

whoan avatar Dec 11 '22 22:12 whoan