By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ECR Registry permissions - 'Invalid registry policy provided

0

I am currently trying to setup replication between two accounts. On Account A I have a container image in ECR. On Account B I have two regions that need that image.

When I create the Registry Policy on eu-west-1, it works. When I try to create a similar policy on af-south-1 it fails. When I try to same policy on any other region, it works.

Not sure what I am doing wrong here. I am using the console. Generate statement> Cross account replication policy Statement id: test Accounts: {Working account ID}

Error: Failed to create your statement Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid registry policy provided'

Edit: Here is the statment that I am currently using, taken from the documentation

    "Version":"2012-10-17",
    "Statement":[
        {
            "Sid":"ReplicationAccessCrossAccount",
            "Effect":"Allow",
            "Principal":{
                "AWS":"arn:aws:iam::1111111111111:root"
            },
            "Action":[
                "ecr:CreateRepository",
                "ecr:ReplicateImage"
            ],
            "Resource": [
                "arn:aws:ecr:af-south-1:222222222222:repository/*"
            ]
        }
    ]
}
Topics
Containers
Tags
Amazon Elastic Container Registry (ECR)
Language
English
Geoff
asked 9 months ago1579 views
2 Answers
1
Accepted Answer

I was facing the same error.

In my case, my problem was that the af-south-1 region was not enabled in the aws account where my principal was configured.

in summary, if you have the principal:

            "Principal":{
                "AWS":"arn:aws:iam::1111111111111:root"
            }

then you must enable af-sout-1 region in the 1111111111111 account to be able to configure the policy.

Marco
answered 8 months ago
  • Geoff
    8 months ago

    Thank you for this, this was exactly what it was. The error is very misleading, but as mentioned af-south-1 isn't on by default ( will apply to any region that is optional )

-1

Try this permission { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ], "Resource": "*" } ] }

ayush
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content