awsecrset-repository-policy \--repository-name cluster-autoscaler \--policy-text file:///tmp/my-policy.json# With a .json such as{"Version":"2008-10-17","Statement": [{"Sid":"allow public pull","Effect":"Allow","Principal":"*","Action": ["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"]}]}
请注意,ECR 要求用户在通过 IAM 策略调用 ecr:GetAuthorizationToken API 之前,必须具有权限,然后才能认证到注册表并从任何 Amazon ECR 存储库推送或拉取任何镜像。
Registry Policy & Cross-account Replication
可以通过配置跨账户复制自动复制外部账户中的注册表,在这种情况下,您需要指明要复制注册表的外部账户。
首先,您需要通过类似以下的注册表策略授予外部账户对注册表的访问权限:
awsecrput-registry-policy--policy-textfile://my-policy.json# With a .json like:{"Sid":"asdasd","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::947247140022:root"},"Action": ["ecr:CreateRepository","ecr:ReplicateImage"],"Resource":"arn:aws:ecr:eu-central-1:947247140022:repository/*"}
然后应用复制配置:
awsecrput-replication-configuration \--replication-configuration file://replication-settings.json \--region us-west-2# Having the .json a content such as:{"rules": [{"destinations": [{"region":"destination_region","registryId":"destination_accountId"}],"repositoryFilters": [{"filter":"repository_prefix_name","filterType":"PREFIX_MATCH"}]}]}
