- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hi,
I think that if you grant your ECS task access to the only ECR repo(s) that you want, you're good.
Look at section "Accessing One Amazon ECR Repository" of https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_id-based-policy-examples.html for an example:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ListImagesInRepository",
"Effect":"Allow",
"Action":[
"ecr:ListImages"
],
"Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
},
{
"Sid":"GetAuthorizationToken",
"Effect":"Allow",
"Action":[
"ecr:GetAuthorizationToken"
],
"Resource":"*"
},
{
"Sid":"ManageRepositoryContents",
"Effect":"Allow",
"Action":[
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
}
]
}
Best,
Didier
Hello.
Looking at the ECS IAM policy list, I think it is difficult to restrict repositories using task definitions.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html
So, how about configuring CI/CD so that ECS is updated when Git Push is performed?
If you set the IAM policy so that each IAM user cannot directly update the ECS task definition, you will be less worried about the task definition repository settings being changed.
Contenus pertinents
- demandé il y a un an
- demandé il y a 2 mois
- demandé il y a 7 mois
- AWS OFFICIELA mis à jour il y a 5 ans
- AWS OFFICIELA mis à jour il y a 5 ans
- AWS OFFICIELA mis à jour il y a 2 ans