IAM Policy for ECR Push and Pull Images

ECR Push and Pull Policy

CI/CD pipelines need to push built container images to ECR, and deployment services (ECS, EKS, Lambda) need to pull them. This policy covers both operations.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowECRAuth",
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    },
    {
      "Sid": "AllowECRPull",
      "Effect": "Allow",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-app"
    },
    {
      "Sid": "AllowECRPush",
      "Effect": "Allow",
      "Action": [
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload",
        "ecr:PutImage"
      ],
      "Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-app"
    }
  ]
}

Three Statements Explained

1. GetAuthorizationToken — must use Resource: "*" because it's an account-level action that returns a Docker login token valid for all repositories.
2. Pull actions — scoped to a specific repository. These are needed by deployment services.
3. Push actions — scoped to the same repository. These are needed by CI/CD pipelines.

Pull-Only Variant

For deployment services that only need to pull images, remove Statement 3 entirely and keep only the auth and pull statements.

Multiple Repositories

To grant access to multiple repositories, either:

• List multiple repository ARNs in the Resource array
• Use a wildcard pattern: arn:aws:ecr:us-east-1:123456789012:repository/my-app-*

Docker Login Flow

aws ecr get-login-password --region us-east-1 | \
  docker login --username AWS --password-stdin \
  123456789012.dkr.ecr.us-east-1.amazonaws.com

This command uses the GetAuthorizationToken permission.