- Más nuevo
- Más votos
- Más comentarios
Hi,
I think that if you grant your ECS task access to the only ECR repo(s) that you want, you're good.
Look at section "Accessing One Amazon ECR Repository" of https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_id-based-policy-examples.html for an example:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ListImagesInRepository",
"Effect":"Allow",
"Action":[
"ecr:ListImages"
],
"Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
},
{
"Sid":"GetAuthorizationToken",
"Effect":"Allow",
"Action":[
"ecr:GetAuthorizationToken"
],
"Resource":"*"
},
{
"Sid":"ManageRepositoryContents",
"Effect":"Allow",
"Action":[
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
}
]
}
Best,
Didier
Hello.
Looking at the ECS IAM policy list, I think it is difficult to restrict repositories using task definitions.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html
So, how about configuring CI/CD so that ECS is updated when Git Push is performed?
If you set the IAM policy so that each IAM user cannot directly update the ECS task definition, you will be less worried about the task definition repository settings being changed.
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 9 meses
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año