Skip to content

Commit

Permalink
Allow OIDC users (currently Github Actions and CircleCI) to also list…
Browse files Browse the repository at this point in the history
… and delete images in permitted ECRs
  • Loading branch information
ushkarev committed Aug 8, 2023
1 parent c5f3fbf commit 6b87bd9
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,7 @@ resource "random_id" "oidc" {
}

# Base ECR policy for pushing and pulling images, can be used across all OIDC providers
# Also allows listing existing images and deleting them
# See: https://github.com/aws-actions/amazon-ecr-login#permissions
data "aws_iam_policy_document" "base" {
version = "2012-10-17"
Expand All @@ -214,14 +215,17 @@ data "aws_iam_policy_document" "base" {
}

statement {
sid = "AllowPushPull"
sid = "AllowPushPullListDelete"
effect = "Allow"
actions = [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
Expand Down

0 comments on commit 6b87bd9

Please sign in to comment.