This IAM policy allows AWS CodeBuild to access your Amazon Elastic Container Registry (ECR) repository. By granting these permissions, CodeBuild can pull images from your ECR repository during the build process, enabling seamless integration for container-based deployments.

IAM Policy for CodeBuild ECR Access

Below is the JSON policy document that you can attach to your CodeBuild role. This policy grants the necessary permissions for CodeBuild to retrieve images from your ECR repository.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "CodeBuildAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::xxxxxxxxxxxx:root"
        ],
        "Service": "codebuild.amazonaws.com"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Explanation of Policy Elements

• Version: Specifies the version of the policy language.
• Statement: Contains an array of individual statements that define the permissions.
• Sid: An optional identifier for the statement.
• Effect: Determines whether the statement allows or denies access. In this case, it's "Allow".
• Principal: Specifies the entity that is granted the permissions. Here, it includes the AWS account and the CodeBuild service.
• Action: Lists the specific ECR actions that are allowed.

How to Use This Policy

1. Create an IAM role for your CodeBuild project.
2. Attach this policy to the IAM role.
3. Ensure that the AWS account ID in the Principal section matches your account.

Additional Resources

• AWS CodeBuild Documentation
• Amazon ECR Permissions
• IAM Policies Overview