[ECR] [feature]: Allow ecr:SetRepositoryPolicy across accounts
Opened this issue ยท 0 comments
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
We would like the private registry permissions to support ecr:SetRepositoryPolicy like it does with ecr:CreateRepository, ecr:BatchImportUpstreamImage and ecr:ReplicateImage.
We were in contact with AWS support and they recommended us we open a feature request here. They acknowledged what we want isn't possible today.
Which service(s) is this request for?
ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We have a use-case where we have application pipelines in GitHub Actions, and they create the ECR repository when the repository doesn't exist before. We're in a multi-account setup, so the role that is assumed to do this is not always in the account where our private ECR registry is. It is not intuitive that we can only create the repository but cannot set the permissions on it afterwards across account. This makes our whole IAM role setup much more complex than it have to be.
Are you currently working around this issue?
We are creating an additional role in the account where the ECR registry is, and we're doing role chaining from the IAM role that GitHub actions assume to this account for this sole purpose.