✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.3.1.2 ECR Repository Policies

A focused guide to ECR Repository Policies, connecting core concepts with practical Docker and container operations.

ECR repository policies are resource-based access policies attached directly to a specific ECR repository, controlling which AWS principals can perform which actions against that particular repository, providing access control scoped precisely to that single repository rather than relying solely on broader IAM policies.

Attaching a Policy to a Specific Repository

A repository policy is defined and attached directly to the repository it should govern.

aws ecr set-repository-policy --repository-name myapp --policy-text file://policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::987654321:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ]
    }
  ]
}

This policy grants pull access to a specific external AWS account, a common pattern for sharing a repository across account boundaries.

Why Repository Policies Complement IAM Policies

While IAM policies control what a given AWS identity is permitted to do generally, a repository policy specifically controls access to one particular repository, useful for cross-account access scenarios or fine-grained control that doesn't belong in a broader IAM policy.

aws ecr get-repository-policy --repository-name myapp

Reviewing a repository's current policy confirms exactly what access has been explicitly granted at this specific, repository-scoped level.

Why Cross-Account Access Often Relies on Repository Policies

Sharing a repository with a different AWS account is a natural fit for a repository policy, since IAM policies alone are scoped to a single account and can't directly grant access to a different one.

aws ecr set-repository-policy --repository-name shared-base-image --policy-text file://cross-account-policy.json
Why ECR Repository Policies Matter

Repository policies provide an important, precisely scoped layer of access control for ECR, particularly valuable for cross-account sharing scenarios that broader IAM policies alone cannot directly address.

Related content