GitLab CI ECR Policy
This IAM policy allows GitLab CI to interact with AWS ECR (Elastic Container Registry). It grants permissions for authentication, uploading layers, and pulling images, enabling a secure CI/CD pipeline for Docker containers.
IAM Policy for GitLab CI to Access ECR
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRAllowAuthToken",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
},
{
"Sid": "ECRAllowUploads",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": [
"arn:aws:ecr:eu-west-1:xxxxxxxxxxxx:repository/*"
]
},
{
"Sid": "ECRAllowPull",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": [
"arn:aws:ecr:eu-west-1:xxxxxxxxxxxx:repository/*"
]
}
]
}
Explanation of the IAM Policy
This policy consists of three main statements:
- ECRAllowAuthToken: Allows GitLab CI to retrieve an authentication token for ECR.
- ECRAllowUploads: Grants permissions to check layer availability, initiate, upload, complete layer uploads, and put images into the ECR repository.
- ECRAllowPull: Allows GitLab CI to batch get images and retrieve download URLs for layers.
How to Use This Policy
- Create an IAM role in AWS.
- Attach this policy to the IAM role.
- Configure GitLab CI to assume this role when interacting with ECR.
Additional Resources
For more information on AWS IAM policies and ECR, refer to the following resources: